diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4edd448067a..6957d3f5446 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -146,6 +146,7 @@ jobs:
                   smoke/test_vm_snapshot_kvm
                   smoke/test_vm_snapshots
                   smoke/test_volumes
+                  smoke/test_vpc_conserve_mode
                   smoke/test_vpc_ipv6
                   smoke/test_vpc_redundant
                   smoke/test_vpc_router_nics
diff --git a/api/src/main/java/com/cloud/configuration/ConfigurationService.java b/api/src/main/java/com/cloud/configuration/ConfigurationService.java
index 438283136d2..729f72b23ca 100644
--- a/api/src/main/java/com/cloud/configuration/ConfigurationService.java
+++ b/api/src/main/java/com/cloud/configuration/ConfigurationService.java
@@ -24,15 +24,18 @@ import com.cloud.network.Network;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.command.admin.config.ResetCfgCmd;
 import org.apache.cloudstack.api.command.admin.config.UpdateCfgCmd;
+import org.apache.cloudstack.api.command.admin.network.CloneNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateGuestNetworkIpv6PrefixCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateManagementNetworkIpRangeCmd;
-import org.apache.cloudstack.api.command.admin.network.CreateNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteGuestNetworkIpv6PrefixCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteManagementNetworkIpRangeCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.ListGuestNetworkIpv6PrefixesCmd;
+import org.apache.cloudstack.api.command.admin.network.NetworkOfferingBaseCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdateNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdatePodManagementNetworkIpRangeCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneDiskOfferingCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateDiskOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.DeleteDiskOfferingCmd;
@@ -105,6 +108,33 @@ public interface ConfigurationService {
      */
     ServiceOffering createServiceOffering(CreateServiceOfferingCmd cmd);
 
+    /**
+     * Clones a service offering with optional parameter overrides
+     *
+     * @param cmd
+     *            the command object that specifies the source offering ID and optional parameter overrides
+     * @return the newly created service offering cloned from source, null otherwise
+     */
+    ServiceOffering cloneServiceOffering(CloneServiceOfferingCmd cmd);
+
+    /**
+     * Clones a disk offering with optional parameter overrides
+     *
+     * @param cmd
+     *            the command object that specifies the source offering ID and optional parameter overrides
+     * @return the newly created disk offering cloned from source, null otherwise
+     */
+    DiskOffering cloneDiskOffering(CloneDiskOfferingCmd cmd);
+
+    /**
+     * Clones a network offering with optional parameter overrides
+     *
+     * @param cmd
+     *            the command object that specifies the source offering ID and optional parameter overrides
+     * @return the newly created network offering cloned from source, null otherwise
+     */
+    NetworkOffering cloneNetworkOffering(CloneNetworkOfferingCmd cmd);
+
     /**
      * Updates a service offering
      *
@@ -282,7 +312,7 @@ public interface ConfigurationService {
 
     boolean releasePublicIpRange(ReleasePublicIpRangeCmd cmd);
 
-    NetworkOffering createNetworkOffering(CreateNetworkOfferingCmd cmd);
+    NetworkOffering createNetworkOffering(NetworkOfferingBaseCmd cmd);
 
     NetworkOffering updateNetworkOffering(UpdateNetworkOfferingCmd cmd);
 
diff --git a/api/src/main/java/com/cloud/event/EventTypes.java b/api/src/main/java/com/cloud/event/EventTypes.java
index 889e821a090..42395bf8999 100644
--- a/api/src/main/java/com/cloud/event/EventTypes.java
+++ b/api/src/main/java/com/cloud/event/EventTypes.java
@@ -298,8 +298,9 @@ public class EventTypes {
     public static final String EVENT_REGISTER_CNI_CONFIG = "REGISTER.CNI.CONFIG";
     public static final String EVENT_DELETE_CNI_CONFIG = "DELETE.CNI.CONFIG";
 
-    //register for user API and secret keys
+    //user API and secret keys
     public static final String EVENT_REGISTER_FOR_SECRET_API_KEY = "REGISTER.USER.KEY";
+    public static final String EVENT_DELETE_SECRET_API_KEY = "DELETE.USER.KEY";
     public static final String API_KEY_ACCESS_UPDATE = "API.KEY.ACCESS.UPDATE";
 
     // Template Events
@@ -374,11 +375,13 @@ public class EventTypes {
 
     // Service Offerings
     public static final String EVENT_SERVICE_OFFERING_CREATE = "SERVICE.OFFERING.CREATE";
+    public static final String EVENT_SERVICE_OFFERING_CLONE = "SERVICE.OFFERING.CLONE";
     public static final String EVENT_SERVICE_OFFERING_EDIT = "SERVICE.OFFERING.EDIT";
     public static final String EVENT_SERVICE_OFFERING_DELETE = "SERVICE.OFFERING.DELETE";
 
     // Disk Offerings
     public static final String EVENT_DISK_OFFERING_CREATE = "DISK.OFFERING.CREATE";
+    public static final String EVENT_DISK_OFFERING_CLONE = "DISK.OFFERING.CLONE";
     public static final String EVENT_DISK_OFFERING_EDIT = "DISK.OFFERING.EDIT";
     public static final String EVENT_DISK_OFFERING_DELETE = "DISK.OFFERING.DELETE";
 
@@ -399,6 +402,7 @@ public class EventTypes {
 
     // Network offerings
     public static final String EVENT_NETWORK_OFFERING_CREATE = "NETWORK.OFFERING.CREATE";
+    public static final String EVENT_NETWORK_OFFERING_CLONE = "NETWORK.OFFERING.CLONE";
     public static final String EVENT_NETWORK_OFFERING_ASSIGN = "NETWORK.OFFERING.ASSIGN";
     public static final String EVENT_NETWORK_OFFERING_EDIT = "NETWORK.OFFERING.EDIT";
     public static final String EVENT_NETWORK_OFFERING_REMOVE = "NETWORK.OFFERING.REMOVE";
@@ -598,6 +602,7 @@ public class EventTypes {
 
     // VPC offerings
     public static final String EVENT_VPC_OFFERING_CREATE = "VPC.OFFERING.CREATE";
+    public static final String EVENT_VPC_OFFERING_CLONE = "VPC.OFFERING.CLONE";
     public static final String EVENT_VPC_OFFERING_UPDATE = "VPC.OFFERING.UPDATE";
     public static final String EVENT_VPC_OFFERING_DELETE = "VPC.OFFERING.DELETE";
 
@@ -630,6 +635,7 @@ public class EventTypes {
 
     // Backup and Recovery events
     public static final String EVENT_VM_BACKUP_IMPORT_OFFERING = "BACKUP.IMPORT.OFFERING";
+    public static final String EVENT_VM_BACKUP_OFFERING_CLONE = "BACKUP.OFFERING.CLONE";
     public static final String EVENT_VM_BACKUP_OFFERING_ASSIGN = "BACKUP.OFFERING.ASSIGN";
     public static final String EVENT_VM_BACKUP_OFFERING_REMOVE = "BACKUP.OFFERING.REMOVE";
     public static final String EVENT_VM_BACKUP_CREATE = "BACKUP.CREATE";
@@ -1045,11 +1051,13 @@ public class EventTypes {
 
         // Service Offerings
         entityEventDetails.put(EVENT_SERVICE_OFFERING_CREATE, ServiceOffering.class);
+        entityEventDetails.put(EVENT_SERVICE_OFFERING_CLONE, ServiceOffering.class);
         entityEventDetails.put(EVENT_SERVICE_OFFERING_EDIT, ServiceOffering.class);
         entityEventDetails.put(EVENT_SERVICE_OFFERING_DELETE, ServiceOffering.class);
 
         // Disk Offerings
         entityEventDetails.put(EVENT_DISK_OFFERING_CREATE, DiskOffering.class);
+        entityEventDetails.put(EVENT_DISK_OFFERING_CLONE, DiskOffering.class);
         entityEventDetails.put(EVENT_DISK_OFFERING_EDIT, DiskOffering.class);
         entityEventDetails.put(EVENT_DISK_OFFERING_DELETE, DiskOffering.class);
 
@@ -1070,6 +1078,7 @@ public class EventTypes {
 
         // Network offerings
         entityEventDetails.put(EVENT_NETWORK_OFFERING_CREATE, NetworkOffering.class);
+        entityEventDetails.put(EVENT_NETWORK_OFFERING_CLONE, NetworkOffering.class);
         entityEventDetails.put(EVENT_NETWORK_OFFERING_ASSIGN, NetworkOffering.class);
         entityEventDetails.put(EVENT_NETWORK_OFFERING_EDIT, NetworkOffering.class);
         entityEventDetails.put(EVENT_NETWORK_OFFERING_REMOVE, NetworkOffering.class);
diff --git a/api/src/main/java/com/cloud/kubernetes/cluster/KubernetesCluster.java b/api/src/main/java/com/cloud/kubernetes/cluster/KubernetesCluster.java
index ce905b293ff..80f6a6045c7 100644
--- a/api/src/main/java/com/cloud/kubernetes/cluster/KubernetesCluster.java
+++ b/api/src/main/java/com/cloud/kubernetes/cluster/KubernetesCluster.java
@@ -98,7 +98,7 @@ public interface KubernetesCluster extends ControlledEntity, com.cloud.utils.fsm
             s_fsm.addTransition(State.Running, Event.ScaleDownRequested, State.Scaling);
             s_fsm.addTransition(State.Stopped, Event.ScaleUpRequested, State.ScalingStoppedCluster);
             s_fsm.addTransition(State.Scaling, Event.OperationSucceeded, State.Running);
-            s_fsm.addTransition(State.Scaling, Event.OperationFailed, State.Alert);
+            s_fsm.addTransition(State.Scaling, Event.OperationFailed, State.Running);
             s_fsm.addTransition(State.ScalingStoppedCluster, Event.OperationSucceeded, State.Stopped);
             s_fsm.addTransition(State.ScalingStoppedCluster, Event.OperationFailed, State.Alert);
 
diff --git a/api/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelper.java b/api/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelper.java
index 37b8907b454..5a6eaa3f7b9 100644
--- a/api/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelper.java
+++ b/api/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelper.java
@@ -18,6 +18,7 @@ package com.cloud.kubernetes.cluster;
 
 import org.apache.cloudstack.acl.ControlledEntity;
 
+import java.util.List;
 import java.util.Map;
 
 import com.cloud.user.Account;
@@ -33,8 +34,10 @@ public interface KubernetesServiceHelper extends Adapter {
     ControlledEntity findByUuid(String uuid);
     ControlledEntity findByVmId(long vmId);
     void checkVmCanBeDestroyed(UserVm userVm);
+    void checkVmAffinityGroupsCanBeUpdated(UserVm userVm);
     boolean isValidNodeType(String nodeType);
     Map<String, Long> getServiceOfferingNodeTypeMap(Map<String, Map<String, String>> serviceOfferingNodeTypeMap);
     Map<String, Long> getTemplateNodeTypeMap(Map<String, Map<String, String>> templateNodeTypeMap);
+    Map<String, List<Long>> getAffinityGroupNodeTypeMap(Map<String, Map<String, String>> affinityGroupNodeTypeMap);
     void cleanupForAccount(Account account);
 }
diff --git a/api/src/main/java/com/cloud/network/NetworkService.java b/api/src/main/java/com/cloud/network/NetworkService.java
index 742206c7e3b..53692f932a4 100644
--- a/api/src/main/java/com/cloud/network/NetworkService.java
+++ b/api/src/main/java/com/cloud/network/NetworkService.java
@@ -279,4 +279,6 @@ public interface NetworkService {
     IpAddresses getIpAddressesFromIps(String ipAddress, String ip6Address, String macAddress);
 
     String getNicVlanValueForExternalVm(NicTO nic);
+
+    Long getPreferredNetworkIdForPublicIpRuleAssignment(IpAddress ip, Long networkId);
 }
diff --git a/api/src/main/java/com/cloud/network/lb/LoadBalancingRulesService.java b/api/src/main/java/com/cloud/network/lb/LoadBalancingRulesService.java
index 0bf06be15d8..b7fe3b26761 100644
--- a/api/src/main/java/com/cloud/network/lb/LoadBalancingRulesService.java
+++ b/api/src/main/java/com/cloud/network/lb/LoadBalancingRulesService.java
@@ -108,7 +108,7 @@ public interface LoadBalancingRulesService {
     /**
      * Assign a virtual machine or list of virtual machines, or Map of <vmId vmIp> to a load balancer.
      */
-    boolean assignToLoadBalancer(long lbRuleId, List<Long> vmIds, Map<Long, List<String>> vmIdIpMap, boolean isAutoScaleVM);
+    boolean assignToLoadBalancer(long lbRuleId, List<Long> vmIds, Map<Long, List<String>> vmIdIpMap, Map<Long, Long> vmIdNetworkMap, boolean isAutoScaleVM);
 
     boolean assignSSLCertToLoadBalancerRule(Long lbRuleId, String certName, String publicCert, String privateKey);
 
diff --git a/api/src/main/java/com/cloud/network/vpc/VpcOffering.java b/api/src/main/java/com/cloud/network/vpc/VpcOffering.java
index 17f49bb3652..f8460223215 100644
--- a/api/src/main/java/com/cloud/network/vpc/VpcOffering.java
+++ b/api/src/main/java/com/cloud/network/vpc/VpcOffering.java
@@ -84,4 +84,6 @@ public interface VpcOffering extends InternalIdentity, Identity {
     NetworkOffering.RoutingMode getRoutingMode();
 
     Boolean isSpecifyAsNumber();
+
+    boolean isConserveMode();
 }
diff --git a/api/src/main/java/com/cloud/network/vpc/VpcProvisioningService.java b/api/src/main/java/com/cloud/network/vpc/VpcProvisioningService.java
index 97b95339ecf..891cfb02d9d 100644
--- a/api/src/main/java/com/cloud/network/vpc/VpcProvisioningService.java
+++ b/api/src/main/java/com/cloud/network/vpc/VpcProvisioningService.java
@@ -20,6 +20,7 @@ package com.cloud.network.vpc;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.cloudstack.api.command.admin.vpc.CloneVPCOfferingCmd;
 import org.apache.cloudstack.api.command.admin.vpc.CreateVPCOfferingCmd;
 import org.apache.cloudstack.api.command.admin.vpc.UpdateVPCOfferingCmd;
 import org.apache.cloudstack.api.command.user.vpc.ListVPCOfferingsCmd;
@@ -34,12 +35,14 @@ public interface VpcProvisioningService {
 
     VpcOffering createVpcOffering(CreateVPCOfferingCmd cmd);
 
+    VpcOffering cloneVPCOffering(CloneVPCOfferingCmd cmd);
+
     VpcOffering createVpcOffering(String name, String displayText, List<String> supportedServices,
                                   Map<String, List<String>> serviceProviders,
                                   Map serviceCapabilitystList, NetUtils.InternetProtocol internetProtocol,
                                   Long serviceOfferingId, String externalProvider, NetworkOffering.NetworkMode networkMode,
                                   List<Long> domainIds, List<Long> zoneIds, VpcOffering.State state,
-                                  NetworkOffering.RoutingMode routingMode, boolean specifyAsNumber);
+                                  NetworkOffering.RoutingMode routingMode, boolean specifyAsNumber, boolean conserveMode);
 
 
     Pair<List<? extends VpcOffering>,Integer> listVpcOfferings(ListVPCOfferingsCmd cmd);
diff --git a/api/src/main/java/com/cloud/user/AccountService.java b/api/src/main/java/com/cloud/user/AccountService.java
index eb47b75ac5b..30919e5b782 100644
--- a/api/src/main/java/com/cloud/user/AccountService.java
+++ b/api/src/main/java/com/cloud/user/AccountService.java
@@ -21,12 +21,13 @@ import java.util.Map;
 
 import com.cloud.utils.Pair;
 import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.RolePermissionEntity;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.command.admin.account.CreateAccountCmd;
-import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
-import org.apache.cloudstack.api.command.admin.user.RegisterUserKeyCmd;
-import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
 
 import com.cloud.dc.DataCenter;
 import com.cloud.domain.Domain;
@@ -35,6 +36,14 @@ import com.cloud.network.vpc.VpcOffering;
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offering.ServiceOffering;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeyRulesCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.RegisterUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.auth.UserTwoFactorAuthenticator;
 import org.apache.cloudstack.backup.BackupOffering;
 
@@ -97,7 +106,7 @@ public interface AccountService {
 
     void markUserRegistered(long userId);
 
-    public String[] createApiKeyAndSecretKey(RegisterUserKeyCmd cmd);
+    ApiKeyPair createApiKeyAndSecretKey(RegisterUserKeysCmd cmd);
 
     public String[] createApiKeyAndSecretKey(final long userId);
 
@@ -125,6 +134,8 @@ public interface AccountService {
 
     void validateAccountHasAccessToResource(Account account, AccessType accessType, Object resource);
 
+    void validateCallingUserHasAccessToDesiredUser(Long userId);
+
     Long finalizeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly);
 
     /**
@@ -134,9 +145,15 @@ public interface AccountService {
      */
     UserAccount getUserAccountById(Long userId);
 
-    public Pair<Boolean, Map<String, String>> getKeys(GetUserKeysCmd cmd);
+    Pair<Boolean, Map<String, String>> getKeys(GetUserKeysCmd cmd);
 
-    public Pair<Boolean, Map<String, String>> getKeys(Long userId);
+    ListResponse<ApiKeyPairResponse> listKeys(ListUserKeysCmd cmd);
+
+    List<ApiKeyPairPermission> listKeyRules(ListUserKeyRulesCmd cmd);
+
+    void deleteApiKey(DeleteUserKeysCmd cmd);
+
+    void deleteApiKey(ApiKeyPair id);
 
     /**
      * Lists user two-factor authentication provider plugins
@@ -151,4 +168,13 @@ public interface AccountService {
      */
     UserTwoFactorAuthenticator getUserTwoFactorAuthenticationProvider(final Long domainId);
 
+    ApiKeyPair getLatestUserKeyPair(Long userId);
+
+    ApiKeyPair getKeyPairById(Long id);
+
+    ApiKeyPair getKeyPairByApiKey(String apiKey);
+
+    String getAccessingApiKey(BaseCmd cmd);
+
+    List<RolePermissionEntity> getAllKeypairPermissions(String apiKey);
 }
diff --git a/api/src/main/java/com/cloud/user/ApiKeyPairState.java b/api/src/main/java/com/cloud/user/ApiKeyPairState.java
new file mode 100644
index 00000000000..63405c62e32
--- /dev/null
+++ b/api/src/main/java/com/cloud/user/ApiKeyPairState.java
@@ -0,0 +1,21 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.user;
+
+public enum ApiKeyPairState {
+    ENABLED, REMOVED, EXPIRED
+}
diff --git a/api/src/main/java/com/cloud/user/User.java b/api/src/main/java/com/cloud/user/User.java
index 041b39ad272..da7245a4798 100644
--- a/api/src/main/java/com/cloud/user/User.java
+++ b/api/src/main/java/com/cloud/user/User.java
@@ -65,14 +65,6 @@ public interface User extends OwnedBy, InternalIdentity {
 
     public void setState(Account.State state);
 
-    public String getApiKey();
-
-    public void setApiKey(String apiKey);
-
-    public String getSecretKey();
-
-    public void setSecretKey(String secretKey);
-
     public String getTimezone();
 
     public void setTimezone(String timezone);
diff --git a/api/src/main/java/com/cloud/user/UserAccount.java b/api/src/main/java/com/cloud/user/UserAccount.java
index e6b07fb371e..5736244e325 100644
--- a/api/src/main/java/com/cloud/user/UserAccount.java
+++ b/api/src/main/java/com/cloud/user/UserAccount.java
@@ -39,10 +39,6 @@ public interface UserAccount extends InternalIdentity {
 
     String getState();
 
-    String getApiKey();
-
-    String getSecretKey();
-
     Date getCreated();
 
     Date getRemoved();
diff --git a/api/src/main/java/com/cloud/vm/VmDetailConstants.java b/api/src/main/java/com/cloud/vm/VmDetailConstants.java
index db766572497..9e56bf4f17b 100644
--- a/api/src/main/java/com/cloud/vm/VmDetailConstants.java
+++ b/api/src/main/java/com/cloud/vm/VmDetailConstants.java
@@ -96,6 +96,7 @@ public interface VmDetailConstants {
     String CKS_NODE_TYPE = "node";
     String OFFERING = "offering";
     String TEMPLATE = "template";
+    String AFFINITY_GROUP = "affinitygroup";
 
     // VMware to KVM VM migrations specific
     String VMWARE_TO_KVM_PREFIX = "vmware-to-kvm";
diff --git a/api/src/main/java/org/apache/cloudstack/acl/APIChecker.java b/api/src/main/java/org/apache/cloudstack/acl/APIChecker.java
index 660f64f43ef..286a3598e4f 100644
--- a/api/src/main/java/org/apache/cloudstack/acl/APIChecker.java
+++ b/api/src/main/java/org/apache/cloudstack/acl/APIChecker.java
@@ -20,6 +20,7 @@ import com.cloud.exception.PermissionDeniedException;
 import com.cloud.user.Account;
 import com.cloud.user.User;
 import com.cloud.utils.component.Adapter;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 
 import java.util.List;
 
@@ -31,8 +32,8 @@ public interface APIChecker extends Adapter {
     // If true, apiChecker has checked the operation
     // If false, apiChecker is unable to handle the operation or not implemented
     // On exception, checkAccess failed don't allow
-    boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
-    boolean checkAccess(Account account, String apiCommandName) throws PermissionDeniedException;
+    boolean checkAccess(User user, String apiCommandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException;
+    boolean checkAccess(Account account, String apiCommandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException;
     /**
      * Verifies if the account has permission for the given list of APIs and returns only the allowed ones.
      *
@@ -43,4 +44,5 @@ public interface APIChecker extends Adapter {
      */
     List<String> getApisAllowedToUser(Role role, User user, List<String> apiNames) throws PermissionDeniedException;
     boolean isEnabled();
+    List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType);
 }
diff --git a/api/src/main/java/org/apache/cloudstack/acl/RolePermissionEntity.java b/api/src/main/java/org/apache/cloudstack/acl/RolePermissionEntity.java
index 251c6b6d3f9..f382b1c6964 100644
--- a/api/src/main/java/org/apache/cloudstack/acl/RolePermissionEntity.java
+++ b/api/src/main/java/org/apache/cloudstack/acl/RolePermissionEntity.java
@@ -21,7 +21,7 @@ import org.apache.cloudstack.api.Identity;
 import org.apache.cloudstack.api.InternalIdentity;
 
 public interface RolePermissionEntity extends InternalIdentity, Identity {
-    public enum Permission {
+    enum Permission {
         ALLOW, DENY
     }
     Rule getRule();
diff --git a/api/src/main/java/org/apache/cloudstack/acl/RoleService.java b/api/src/main/java/org/apache/cloudstack/acl/RoleService.java
index f041c8342ae..14e0a608a92 100644
--- a/api/src/main/java/org/apache/cloudstack/acl/RoleService.java
+++ b/api/src/main/java/org/apache/cloudstack/acl/RoleService.java
@@ -104,5 +104,26 @@ public interface RoleService {
 
     List<RolePermission> findAllPermissionsBy(Long roleId);
 
+    List<RolePermissionEntity> findAllRolePermissionsEntityBy(Long roleId, boolean considerImplicitRules);
+
     Permission getRolePermission(String permission);
+
+    int removeRolesIfNeeded(List<? extends Role> roles);
+
+    /**
+     * Checks if the role of the caller account has compatible permissions of the specified role permissions.
+     * For each permission of the {@param rolePermissionsToAccess}, the role of the caller needs to contain the same permission.
+     *
+     * @param rolePermissions the permissions of the caller role.
+     * @param rolePermissionsToAccess the permissions for the role that the caller role wants to access.
+     * @return True if the role can be accessed with the given permissions; false otherwise.
+     */
+    boolean roleHasPermission(Map<String, RolePermissionEntity> rolePermissions, List<RolePermissionEntity> rolePermissionsToAccess);
+
+    /**
+     * Given a list of role permissions, returns a {@link Map} containing the API name as the key and the {@link RolePermissionEntity} for the API as the value.
+     *
+     * @param rolePermissions Permissions for the role from role.
+     */
+    Map<String, RolePermissionEntity> getRoleRulesAndPermissions(List<RolePermissionEntity> rolePermissions);
 }
diff --git a/api/src/main/java/org/apache/cloudstack/acl/Rule.java b/api/src/main/java/org/apache/cloudstack/acl/Rule.java
index a4ef7773f67..ad01825a95f 100644
--- a/api/src/main/java/org/apache/cloudstack/acl/Rule.java
+++ b/api/src/main/java/org/apache/cloudstack/acl/Rule.java
@@ -25,16 +25,18 @@ import org.apache.commons.lang3.StringUtils;
 
 public final class Rule {
     private final String rule;
+    private final Pattern matchingPattern;
     private final static Pattern ALLOWED_PATTERN = Pattern.compile("^[a-zA-Z0-9*]+$");
 
     public Rule(final String rule) {
         validate(rule);
         this.rule = rule;
+        matchingPattern = Pattern.compile(rule.toLowerCase().replace("*", "(\\w*\\*?)+"));
     }
 
     public boolean matches(final String commandName) {
-        return StringUtils.isNotEmpty(commandName)
-                && commandName.toLowerCase().matches(rule.toLowerCase().replace("*", "\\w*"));
+        return StringUtils.isNotEmpty(commandName) &&
+                matchingPattern.matcher(commandName.toLowerCase()).matches();
     }
 
     public String getRuleString() {
diff --git a/api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPair.java b/api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPair.java
new file mode 100644
index 00000000000..ecce0ae5082
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPair.java
@@ -0,0 +1,38 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.apikeypair;
+
+import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.api.Identity;
+import org.apache.cloudstack.api.InternalIdentity;
+
+import java.util.Date;
+
+public interface ApiKeyPair extends ControlledEntity, InternalIdentity, Identity {
+    Long getUserId();
+    Date getStartDate();
+    Date getEndDate();
+    Date getCreated();
+    String getDescription();
+    String getApiKey();
+    String getSecretKey();
+    String getName();
+    Date getRemoved();
+    void setRemoved(Date date);
+    void validateDate();
+    boolean hasEndDatePassed();
+}
diff --git a/api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairPermission.java b/api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairPermission.java
new file mode 100644
index 00000000000..60b3834cc07
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairPermission.java
@@ -0,0 +1,23 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.apikeypair;
+
+import org.apache.cloudstack.acl.RolePermissionEntity;
+
+public interface ApiKeyPairPermission extends RolePermissionEntity {
+    long getApiKeyPairId();
+}
diff --git a/api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairService.java b/api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairService.java
new file mode 100644
index 00000000000..de9c829b17d
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/acl/apikeypair/ApiKeyPairService.java
@@ -0,0 +1,27 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.apikeypair;
+
+import java.util.List;
+
+public interface ApiKeyPairService {
+    List<ApiKeyPairPermission> findAllPermissionsByKeyPairId(Long apiKeyPairId, Long roleId);
+
+    ApiKeyPair findByApiKey(String apiKey);
+
+    ApiKeyPair findById(Long id);
+}
diff --git a/api/src/main/java/org/apache/cloudstack/affinity/AffinityGroupService.java b/api/src/main/java/org/apache/cloudstack/affinity/AffinityGroupService.java
index 018e5f5bab5..03992c0c1c7 100644
--- a/api/src/main/java/org/apache/cloudstack/affinity/AffinityGroupService.java
+++ b/api/src/main/java/org/apache/cloudstack/affinity/AffinityGroupService.java
@@ -66,5 +66,4 @@ public interface AffinityGroupService {
 
     boolean isAffinityGroupAvailableInDomain(long affinityGroupId, long domainId);
 
-
 }
diff --git a/api/src/main/java/org/apache/cloudstack/affinity/AffinityProcessorBase.java b/api/src/main/java/org/apache/cloudstack/affinity/AffinityProcessorBase.java
index 9995d8039e1..96ca35f264c 100644
--- a/api/src/main/java/org/apache/cloudstack/affinity/AffinityProcessorBase.java
+++ b/api/src/main/java/org/apache/cloudstack/affinity/AffinityProcessorBase.java
@@ -29,6 +29,9 @@ import java.util.List;
 
 public class AffinityProcessorBase extends AdapterBase implements AffinityGroupProcessor {
 
+    public static final String AFFINITY_TYPE_HOST = "host affinity";
+    public static final String AFFINITY_TYPE_HOST_ANTI = "host anti-affinity";
+
     protected String _type;
 
     @Override
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
index 9a8913da5b0..3d827641358 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
@@ -19,6 +19,7 @@ package org.apache.cloudstack.api;
 public class ApiConstants {
     public static final String ACCOUNT = "account";
     public static final String ACCOUNTS = "accounts";
+    public static final String ACCOUNT_NAME = "accountname";
     public static final String ACCOUNT_TYPE = "accounttype";
     public static final String ACCOUNT_ID = "accountid";
     public static final String ACCOUNT_IDS = "accountids";
@@ -46,6 +47,7 @@ public class ApiConstants {
     public static final String AS_NUMBER_ID = "asnumberid";
     public static final String ASN_RANGE = "asnrange";
     public static final String ASN_RANGE_ID = "asnrangeid";
+    public static final String API_KEY_FILTER = "apikeyfilter";
     public static final String ASYNC_BACKUP = "asyncbackup";
     public static final String AUTO_SELECT = "autoselect";
     public static final String USER_API_KEY = "userapikey";
@@ -356,6 +358,7 @@ public class ApiConstants {
     public static final String JOB_STATUS = "jobstatus";
     public static final String KEEPALIVE_ENABLED = "keepaliveenabled";
     public static final String KERNEL_VERSION = "kernelversion";
+    public static final String KEYPAIR_ID = "keypairid";
     public static final String KEY = "key";
     public static final String LABEL = "label";
     public static final String LASTNAME = "lastname";
@@ -521,9 +524,9 @@ public class ApiConstants {
     public static final String SCHEDULE = "schedule";
     public static final String SCHEDULE_ID = "scheduleid";
     public static final String SCOPE = "scope";
+    public static final String USER_SECRET_KEY = "usersecretkey";
     public static final String SEARCH_BASE = "searchbase";
     public static final String SECONDARY_IP = "secondaryip";
-    public static final String SECRET_KEY = "secretkey";
     public static final String SECURITY_GROUP_IDS = "securitygroupids";
     public static final String SECURITY_GROUP_NAMES = "securitygroupnames";
     public static final String SECURITY_GROUP_NAME = "securitygroupname";
@@ -540,6 +543,7 @@ public class ApiConstants {
     public static final String SHOW_RESOURCE_ICON = "showicon";
     public static final String SHOW_INACTIVE = "showinactive";
     public static final String SHOW_UNIQUE = "showunique";
+    public static final String SHOW_PERMISSIONS = "showpermissions";
     public static final String SIGNATURE = "signature";
     public static final String SIGNATURE_VERSION = "signatureversion";
     public static final String SINCE = "since";
@@ -555,6 +559,7 @@ public class ApiConstants {
     public static final String USE_STORAGE_REPLICATION = "usestoragereplication";
 
     public static final String SOURCE_CIDR_LIST = "sourcecidrlist";
+    public static final String SOURCE_OFFERING_ID = "sourceofferingid";
     public static final String SOURCE_ZONE_ID = "sourcezoneid";
     public static final String SSL_VERIFICATION = "sslverification";
     public static final String START_ASN = "startasn";
@@ -623,7 +628,6 @@ public class ApiConstants {
     public static final String USERNAME = "username";
     public static final String USER_CONFIGURABLE = "userconfigurable";
     public static final String USER_SECURITY_GROUP_LIST = "usersecuritygrouplist";
-    public static final String USER_SECRET_KEY = "usersecretkey";
     public static final String USE_VIRTUAL_NETWORK = "usevirtualnetwork";
     public static final String USE_VIRTUAL_ROUTER_IP_RESOLVER = "userouteripresolver";
     public static final String UPDATE_IN_SEQUENCE = "updateinsequence";
@@ -765,6 +769,7 @@ public class ApiConstants {
     public static final String ROLE_TYPE = "roletype";
     public static final String ROLE_NAME = "rolename";
     public static final String PERMISSION = "permission";
+    public static final String PERMISSIONS = "permissions";
     public static final String RULE = "rule";
     public static final String RULES = "rules";
     public static final String RULE_ID = "ruleid";
@@ -982,6 +987,7 @@ public class ApiConstants {
     public static final String REGION_ID = "regionid";
     public static final String VPC_OFF_ID = "vpcofferingid";
     public static final String VPC_OFF_NAME = "vpcofferingname";
+    public static final String VPC_OFFERING_CONSERVE_MODE = "vpcofferingconservemode";
     public static final String NETWORK = "network";
     public static final String VPC_ID = "vpcid";
     public static final String VPC_NAME = "vpcname";
@@ -1028,7 +1034,7 @@ public class ApiConstants {
     public static final String NSX_PROVIDER_PORT = "nsxproviderport";
     public static final String NSX_CONTROLLER_ID = "nsxcontrollerid";
     public static final String S3_ACCESS_KEY = "accesskey";
-    public static final String S3_SECRET_KEY = "secretkey";
+    public static final String SECRET_KEY = "secretkey";
     public static final String S3_END_POINT = "endpoint";
     public static final String S3_BUCKET_NAME = "bucket";
     public static final String S3_SIGNER = "s3signer";
@@ -1240,6 +1246,13 @@ public class ApiConstants {
     public static final String MAX_SIZE = "maxsize";
     public static final String NODE_TYPE_OFFERING_MAP = "nodeofferings";
     public static final String NODE_TYPE_TEMPLATE_MAP = "nodetemplates";
+    public static final String NODE_TYPE_AFFINITY_GROUP_MAP = "nodeaffinitygroups";
+    public static final String CONTROL_AFFINITY_GROUP_IDS = "controlaffinitygroupids";
+    public static final String CONTROL_AFFINITY_GROUP_NAMES = "controlaffinitygroupnames";
+    public static final String WORKER_AFFINITY_GROUP_IDS = "workeraffinitygroupids";
+    public static final String WORKER_AFFINITY_GROUP_NAMES = "workeraffinitygroupnames";
+    public static final String ETCD_AFFINITY_GROUP_IDS = "etcdaffinitygroupids";
+    public static final String ETCD_AFFINITY_GROUP_NAMES = "etcdaffinitygroupnames";
 
     public static final String BOOT_TYPE = "boottype";
     public static final String BOOT_MODE = "bootmode";
diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiServerService.java b/api/src/main/java/org/apache/cloudstack/api/ApiServerService.java
index cb75939d6bc..18c96c37159 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiServerService.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiServerService.java
@@ -49,5 +49,7 @@ public interface ApiServerService {
 
     boolean resetPassword(UserAccount userAccount, String token, String password);
 
+    String getDomainId(Map<String, Object[]> params);
+
     boolean isPostRequestsAndTimestampsEnforced();
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/BaseAsyncCmd.java b/api/src/main/java/org/apache/cloudstack/api/BaseAsyncCmd.java
index 6859b0a7f40..c67c5a023e0 100644
--- a/api/src/main/java/org/apache/cloudstack/api/BaseAsyncCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/BaseAsyncCmd.java
@@ -29,6 +29,7 @@ public abstract class BaseAsyncCmd extends BaseCmd {
     public static final String migrationSyncObject = "migration";
     public static final String snapshotHostSyncObject = "snapshothost";
     public static final String gslbSyncObject = "globalserverloadbalancer";
+    public static final String user = "user";
 
     private Object job;
 
diff --git a/api/src/main/java/org/apache/cloudstack/api/BaseCmd.java b/api/src/main/java/org/apache/cloudstack/api/BaseCmd.java
index f30f6f32782..e495cf28413 100644
--- a/api/src/main/java/org/apache/cloudstack/api/BaseCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/BaseCmd.java
@@ -36,6 +36,7 @@ import com.cloud.bgp.BGPService;
 import org.apache.cloudstack.acl.ProjectRoleService;
 import org.apache.cloudstack.acl.RoleService;
 import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairService;
 import org.apache.cloudstack.affinity.AffinityGroupService;
 import org.apache.cloudstack.alert.AlertService;
 import org.apache.cloudstack.annotation.AnnotationService;
@@ -221,6 +222,8 @@ public abstract class BaseCmd {
     @Inject
     public Ipv6Service ipv6Service;
     @Inject
+    public ApiKeyPairService apiKeyPairService;
+    @Inject
     public VnfTemplateManager vnfTemplateManager;
     @Inject
     public BucketApiService _bucketService;
diff --git a/api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java b/api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java
index 8e92e877f5c..338c1e738df 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ResponseGenerator.java
@@ -24,6 +24,8 @@ import java.util.Set;
 
 import org.apache.cloudstack.api.response.ConsoleSessionResponse;
 import org.apache.cloudstack.consoleproxy.ConsoleSession;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.api.ApiConstants.HostDetails;
@@ -41,6 +43,7 @@ import org.apache.cloudstack.api.response.AutoScaleVmProfileResponse;
 import org.apache.cloudstack.api.response.BackupOfferingResponse;
 import org.apache.cloudstack.api.response.BackupRepositoryResponse;
 import org.apache.cloudstack.api.response.BackupScheduleResponse;
+import org.apache.cloudstack.api.response.BaseRolePermissionResponse;
 import org.apache.cloudstack.api.response.BucketResponse;
 import org.apache.cloudstack.api.response.CapacityResponse;
 import org.apache.cloudstack.api.response.ClusterResponse;
@@ -77,6 +80,7 @@ import org.apache.cloudstack.api.response.InternalLoadBalancerElementResponse;
 import org.apache.cloudstack.api.response.IpForwardingRuleResponse;
 import org.apache.cloudstack.api.response.IpQuarantineResponse;
 import org.apache.cloudstack.api.response.IsolationMethodResponse;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
 import org.apache.cloudstack.api.response.LBHealthCheckResponse;
 import org.apache.cloudstack.api.response.LBStickinessResponse;
 import org.apache.cloudstack.api.response.ListResponse;
@@ -583,4 +587,8 @@ public interface ResponseGenerator {
     GuiThemeResponse createGuiThemeResponse(GuiThemeJoin guiThemeJoin);
 
     ConsoleSessionResponse createConsoleSessionResponse(ConsoleSession consoleSession, ResponseView responseView);
+
+    ApiKeyPairResponse createKeyPairResponse(ApiKeyPair keyPair);
+
+    ListResponse<BaseRolePermissionResponse> createKeypairPermissionsResponse(List<ApiKeyPairPermission> permissions);
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/backup/CloneBackupOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/backup/CloneBackupOfferingCmd.java
new file mode 100644
index 00000000000..500a77f3d4f
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/backup/CloneBackupOfferingCmd.java
@@ -0,0 +1,166 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.backup;
+
+import javax.inject.Inject;
+
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.command.offering.DomainAndZoneIdResolver;
+import org.apache.cloudstack.api.response.BackupOfferingResponse;
+import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.cloudstack.backup.BackupManager;
+import org.apache.cloudstack.backup.BackupOffering;
+import org.apache.cloudstack.context.CallContext;
+
+import com.cloud.event.EventTypes;
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.NetworkRuleConflictException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.function.LongFunction;
+
+@APICommand(name = "cloneBackupOffering",
+        description = "Clones a backup offering from an existing offering",
+        responseObject = BackupOfferingResponse.class, since = "4.23.0",
+        authorized = {RoleType.Admin})
+public class CloneBackupOfferingCmd extends BaseAsyncCmd implements DomainAndZoneIdResolver {
+
+    @Inject
+    protected BackupManager backupManager;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    ////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.SOURCE_OFFERING_ID, type = BaseCmd.CommandType.UUID, entityType = BackupOfferingResponse.class,
+            required = true, description = "The ID of the source backup offering to clone from")
+    private Long sourceOfferingId;
+
+    @Parameter(name = ApiConstants.NAME, type = BaseCmd.CommandType.STRING, required = true,
+            description = "The name of the cloned offering")
+    private String name;
+
+    @Parameter(name = ApiConstants.DESCRIPTION, type = BaseCmd.CommandType.STRING, required = false,
+            description = "The description of the cloned offering")
+    private String description;
+
+    @Parameter(name = ApiConstants.EXTERNAL_ID, type = BaseCmd.CommandType.STRING, required = false,
+            description = "The backup offering ID (from backup provider side)")
+    private String externalId;
+
+    @Parameter(name = ApiConstants.ZONE_ID, type = BaseCmd.CommandType.UUID, entityType = ZoneResponse.class,
+            description = "The zone ID", required = false)
+    private Long zoneId;
+
+    @Parameter(name = ApiConstants.DOMAIN_ID,
+            type = CommandType.STRING,
+            description = "the ID of the containing domain(s) as comma separated string, public for public offerings",
+            length = 4096)
+    private String domainIds;
+
+    @Parameter(name = ApiConstants.ALLOW_USER_DRIVEN_BACKUPS, type = BaseCmd.CommandType.BOOLEAN,
+            description = "Whether users are allowed to create adhoc backups and backup schedules", required = false)
+    private Boolean userDrivenBackups;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getSourceOfferingId() {
+        return sourceOfferingId;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String getExternalId() {
+        return externalId;
+    }
+
+    public Long getZoneId() {
+        return zoneId;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public Boolean getUserDrivenBackups() {
+        return userDrivenBackups;
+    }
+
+    public List<Long> getDomainIds() {
+        if (domainIds != null && !domainIds.isEmpty()) {
+            return Arrays.asList(Arrays.stream(domainIds.split(",")).map(domainId -> Long.parseLong(domainId.trim())).toArray(Long[]::new));
+        }
+        LongFunction<List<Long>> defaultDomainsProvider = null;
+        if (backupManager != null) {
+            defaultDomainsProvider = backupManager::getBackupOfferingDomains;
+        }
+        return resolveDomainIds(domainIds, sourceOfferingId, defaultDomainsProvider, "backup offering");
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
+        try {
+            BackupOffering policy = backupManager.cloneBackupOffering(this);
+            if (policy == null) {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to clone backup offering");
+            }
+            BackupOfferingResponse response = _responseGenerator.createBackupOfferingResponse(policy);
+            response.setResponseName(getCommandName());
+            setResponseObject(response);
+        } catch (InvalidParameterValueException e) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, e.getMessage());
+        } catch (CloudRuntimeException e) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, e.getMessage());
+        }
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_VM_BACKUP_OFFERING_CLONE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "Cloning backup offering: " + name + " from source offering: " + (sourceOfferingId == null ? "" : sourceOfferingId.toString());
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/backup/ImportBackupOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/backup/ImportBackupOfferingCmd.java
index f852f7e2577..4cf27c56150 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/backup/ImportBackupOfferingCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/backup/ImportBackupOfferingCmd.java
@@ -54,7 +54,7 @@ import java.util.Set;
 public class ImportBackupOfferingCmd extends BaseAsyncCmd {
 
     @Inject
-    private BackupManager backupManager;
+    protected BackupManager backupManager;
 
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
@@ -86,7 +86,8 @@ public class ImportBackupOfferingCmd extends BaseAsyncCmd {
             type = CommandType.LIST,
             collectionType = CommandType.UUID,
             entityType = DomainResponse.class,
-            description = "the ID of the containing domain(s), null for public offerings")
+            description = "the ID of the containing domain(s), null for public offerings",
+            since = "4.23.0")
     private List<Long> domainIds;
 
     /////////////////////////////////////////////////////
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CloneNetworkOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CloneNetworkOfferingCmd.java
new file mode 100644
index 00000000000..19760ffaaa1
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CloneNetworkOfferingCmd.java
@@ -0,0 +1,113 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.network;
+
+import java.util.List;
+
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.NetworkOfferingResponse;
+
+import com.cloud.offering.NetworkOffering;
+
+@APICommand(name = "cloneNetworkOffering",
+        description = "Clones a network offering. All parameters are copied from the source offering unless explicitly overridden. " +
+                "Use 'addServices' and 'dropServices' to modify the service list without respecifying everything.",
+        responseObject = NetworkOfferingResponse.class,
+        requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = false,
+        since = "4.23.0")
+public class CloneNetworkOfferingCmd extends NetworkOfferingBaseCmd {
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.SOURCE_OFFERING_ID,
+            type = BaseCmd.CommandType.UUID,
+            entityType = NetworkOfferingResponse.class,
+            required = true,
+            description = "The ID of the source network offering to clone from")
+    private Long sourceOfferingId;
+
+    @Parameter(name = "addservices",
+            type = CommandType.LIST,
+            collectionType = CommandType.STRING,
+            description = "Services to add to the cloned offering (in addition to source offering services). " +
+                    "If specified along with 'supportedservices', this parameter is ignored.")
+    private List<String> addServices;
+
+    @Parameter(name = "dropservices",
+            type = CommandType.LIST,
+            collectionType = CommandType.STRING,
+            description = "Services to remove from the cloned offering (that exist in source offering). " +
+                    "If specified along with 'supportedservices', this parameter is ignored.")
+    private List<String> dropServices;
+
+    @Parameter(name = ApiConstants.TRAFFIC_TYPE,
+            type = CommandType.STRING,
+            description = "The traffic type for the network offering. Supported type in current release is GUEST only")
+    private String traffictype;
+
+    @Parameter(name = ApiConstants.GUEST_IP_TYPE, type = CommandType.STRING, description = "Guest type of the network offering: Shared or Isolated")
+    private String guestIptype;
+
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getSourceOfferingId() {
+        return sourceOfferingId;
+    }
+
+    public List<String> getAddServices() {
+        return addServices;
+    }
+
+    public List<String> getDropServices() {
+        return dropServices;
+    }
+
+    public String getGuestIpType() {
+        return guestIptype;
+    }
+
+    public String getTraffictype() {
+        return traffictype;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() {
+        NetworkOffering result = _configService.cloneNetworkOffering(this);
+        if (result != null) {
+            NetworkOfferingResponse response = _responseGenerator.createNetworkOfferingResponse(result);
+            response.setResponseName(getCommandName());
+            this.setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to clone network offering");
+        }
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java
index a0559f57dab..5c39060f9fa 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java
@@ -16,505 +16,47 @@
 // under the License.
 package org.apache.cloudstack.api.command.admin.network;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.stream.Collectors;
-
-import com.cloud.network.Network;
-import com.cloud.network.VirtualRouterProvider;
-import org.apache.cloudstack.api.response.DomainResponse;
-import org.apache.cloudstack.api.response.ZoneResponse;
-import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
-
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
-import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.response.NetworkOfferingResponse;
-import org.apache.cloudstack.api.response.ServiceOfferingResponse;
 
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.network.Network.Capability;
-import com.cloud.network.Network.Service;
 import com.cloud.offering.NetworkOffering;
-import com.cloud.offering.NetworkOffering.Availability;
-import com.cloud.user.Account;
-
-import static com.cloud.network.Network.Service.Dhcp;
-import static com.cloud.network.Network.Service.Dns;
-import static com.cloud.network.Network.Service.Lb;
-import static com.cloud.network.Network.Service.StaticNat;
-import static com.cloud.network.Network.Service.SourceNat;
-import static com.cloud.network.Network.Service.PortForwarding;
-import static com.cloud.network.Network.Service.NetworkACL;
-import static com.cloud.network.Network.Service.UserData;
-import static com.cloud.network.Network.Service.Firewall;
-
-import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNetrisNatted;
-import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNetrisRouted;
-import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNsxWithoutLb;
 
 @APICommand(name = "createNetworkOffering", description = "Creates a network offering.", responseObject = NetworkOfferingResponse.class, since = "3.0.0",
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
-public class CreateNetworkOfferingCmd extends BaseCmd {
+public class CreateNetworkOfferingCmd extends NetworkOfferingBaseCmd {
 
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "The name of the network offering")
-    private String networkOfferingName;
-
-    @Parameter(name = ApiConstants.DISPLAY_TEXT, type = CommandType.STRING, description = "The display text of the network offering, defaults to the value of 'name'.")
-    private String displayText;
-
     @Parameter(name = ApiConstants.TRAFFIC_TYPE,
             type = CommandType.STRING,
             required = true,
             description = "The traffic type for the network offering. Supported type in current release is GUEST only")
     private String traffictype;
 
-    @Parameter(name = ApiConstants.TAGS, type = CommandType.STRING, description = "The tags for the network offering.", length = 4096)
-    private String tags;
-
-    @Parameter(name = ApiConstants.SPECIFY_VLAN, type = CommandType.BOOLEAN, description = "True if network offering supports VLANs")
-    private Boolean specifyVlan;
-
-    @Parameter(name = ApiConstants.AVAILABILITY, type = CommandType.STRING, description = "The availability of network offering. The default value is Optional. "
-            + " Another value is Required, which will make it as the default network offering for new networks ")
-    private String availability;
-
-    @Parameter(name = ApiConstants.NETWORKRATE, type = CommandType.INTEGER, description = "Data transfer rate in megabits per second allowed")
-    private Integer networkRate;
-
-    @Parameter(name = ApiConstants.CONSERVE_MODE, type = CommandType.BOOLEAN, description = "True if the network offering is IP conserve mode enabled")
-    private Boolean conserveMode;
-
-    @Parameter(name = ApiConstants.SERVICE_OFFERING_ID,
-            type = CommandType.UUID,
-            entityType = ServiceOfferingResponse.class,
-            description = "The service offering ID used by virtual router provider")
-    private Long serviceOfferingId;
-
     @Parameter(name = ApiConstants.GUEST_IP_TYPE, type = CommandType.STRING, required = true, description = "Guest type of the network offering: Shared or Isolated")
     private String guestIptype;
 
-    @Parameter(name = ApiConstants.INTERNET_PROTOCOL,
-            type = CommandType.STRING,
-            description = "The internet protocol of network offering. Options are IPv4 and dualstack. Default is IPv4. dualstack will create a network offering that supports both IPv4 and IPv6",
-            since = "4.17.0")
-    private String internetProtocol;
-
-    @Parameter(name = ApiConstants.SUPPORTED_SERVICES,
-            type = CommandType.LIST,
-            collectionType = CommandType.STRING,
-            description = "Services supported by the network offering")
-    private List<String> supportedServices;
-
-    @Parameter(name = ApiConstants.SERVICE_PROVIDER_LIST,
-            type = CommandType.MAP,
-            description = "Provider to service mapping. If not specified, the provider for the service will be mapped to the default provider on the physical network")
-    private Map serviceProviderList;
-
-    @Parameter(name = ApiConstants.SERVICE_CAPABILITY_LIST, type = CommandType.MAP, description = "Desired service capabilities as part of network offering")
-    private Map serviceCapabilitystList;
-
-    @Parameter(name = ApiConstants.SPECIFY_IP_RANGES,
-            type = CommandType.BOOLEAN,
-            description = "True if network offering supports specifying ip ranges; defaulted to false if not specified")
-    private Boolean specifyIpRanges;
-
-    @Parameter(name = ApiConstants.IS_PERSISTENT,
-            type = CommandType.BOOLEAN,
-            description = "True if network offering supports persistent networks; defaulted to false if not specified")
-    private Boolean isPersistent;
-
-    @Parameter(name = ApiConstants.FOR_VPC,
-            type = CommandType.BOOLEAN,
-            description = "True if network offering is meant to be used for VPC, false otherwise.")
-    private Boolean forVpc;
-
-    @Deprecated
-    @Parameter(name = ApiConstants.FOR_NSX,
-            type = CommandType.BOOLEAN,
-            description = "true if network offering is meant to be used for NSX, false otherwise.",
-            since = "4.20.0")
-    private Boolean forNsx;
-
-    @Parameter(name = ApiConstants.PROVIDER,
-            type = CommandType.STRING,
-            description = "Name of the provider providing the service",
-            since = "4.21.0")
-    private String provider;
-
-    @Parameter(name = ApiConstants.NSX_SUPPORT_LB,
-            type = CommandType.BOOLEAN,
-            description = "True if network offering for NSX network offering supports Load balancer service.",
-            since = "4.20.0")
-    private Boolean nsxSupportsLbService;
-
-    @Parameter(name = ApiConstants.NSX_SUPPORTS_INTERNAL_LB,
-            type = CommandType.BOOLEAN,
-            description = "True if network offering for NSX network offering supports Internal Load balancer service.",
-            since = "4.20.0")
-    private Boolean nsxSupportsInternalLbService;
-
-    @Parameter(name = ApiConstants.NETWORK_MODE,
-            type = CommandType.STRING,
-            description = "Indicates the mode with which the network will operate. Valid option: NATTED or ROUTED",
-            since = "4.20.0")
-    private String networkMode;
-
-    @Parameter(name = ApiConstants.FOR_TUNGSTEN,
-            type = CommandType.BOOLEAN,
-            description = "True if network offering is meant to be used for Tungsten-Fabric, false otherwise.")
-    private Boolean forTungsten;
-
-    @Parameter(name = ApiConstants.DETAILS, type = CommandType.MAP, since = "4.2.0", description = "Network offering details in key/value pairs."
-            + " Supported keys are internallbprovider/publiclbprovider with service provider as a value, and"
-            + " promiscuousmode/macaddresschanges/forgedtransmits with true/false as value to accept/reject the security settings if available for a nic/portgroup")
-    protected Map details;
-
-    @Parameter(name = ApiConstants.EGRESS_DEFAULT_POLICY,
-            type = CommandType.BOOLEAN,
-            description = "True if guest network default egress policy is allow; false if default egress policy is deny")
-    private Boolean egressDefaultPolicy;
-
-    @Parameter(name = ApiConstants.KEEPALIVE_ENABLED,
-            type = CommandType.BOOLEAN,
-            required = false,
-            description = "If true keepalive will be turned on in the loadbalancer. At the time of writing this has only an effect on haproxy; the mode http and httpclose options are unset in the haproxy conf file.")
-    private Boolean keepAliveEnabled;
-
-    @Parameter(name = ApiConstants.MAX_CONNECTIONS,
-            type = CommandType.INTEGER,
-            description = "Maximum number of concurrent connections supported by the Network offering")
-    private Integer maxConnections;
-
-    @Parameter(name = ApiConstants.DOMAIN_ID,
-            type = CommandType.LIST,
-            collectionType = CommandType.UUID,
-            entityType = DomainResponse.class,
-            description = "The ID of the containing domain(s), null for public offerings")
-    private List<Long> domainIds;
-
-    @Parameter(name = ApiConstants.ZONE_ID,
-            type = CommandType.LIST,
-            collectionType = CommandType.UUID,
-            entityType = ZoneResponse.class,
-            description = "The ID of the containing zone(s), null for public offerings",
-            since = "4.13")
-    private List<Long> zoneIds;
-
-    @Parameter(name = ApiConstants.ENABLE,
-            type = CommandType.BOOLEAN,
-            description = "Set to true if the offering is to be enabled during creation. Default is false",
-            since = "4.16")
-    private Boolean enable;
-
-    @Parameter(name = ApiConstants.SPECIFY_AS_NUMBER, type = CommandType.BOOLEAN, since = "4.20.0",
-            description = "true if network offering supports choosing AS number")
-    private Boolean specifyAsNumber;
-
-    @Parameter(name = ApiConstants.ROUTING_MODE,
-            type = CommandType.STRING,
-            since = "4.20.0",
-            description = "the routing mode for the network offering. Supported types are: Static or Dynamic.")
-    private String routingMode;
-
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
 
-    public String getNetworkOfferingName() {
-        return networkOfferingName;
-    }
-
-    public String getDisplayText() {
-        return StringUtils.isEmpty(displayText) ? networkOfferingName : displayText;
-    }
-
-    public String getTags() {
-        return tags;
-    }
-
     public String getTraffictype() {
         return traffictype;
     }
 
-    public Boolean getSpecifyVlan() {
-        return specifyVlan == null ? false : specifyVlan;
-    }
-
-    public String getAvailability() {
-        return availability == null ? Availability.Optional.toString() : availability;
-    }
-
-    public Integer getNetworkRate() {
-        return networkRate;
-    }
-
-    public Long getServiceOfferingId() {
-        return serviceOfferingId;
-    }
-
-    public boolean isExternalNetworkProvider() {
-        return Arrays.asList("NSX", "Netris").stream()
-                .anyMatch(s -> provider != null && s.equalsIgnoreCase(provider));
-    }
-
-    public boolean isForNsx() {
-        return provider != null && provider.equalsIgnoreCase("NSX");
-    }
-
-    public boolean isForNetris() {
-        return provider != null && provider.equalsIgnoreCase("Netris");
-    }
-
-    public String getProvider() {
-        return provider;
-    }
-
-    public List<String> getSupportedServices() {
-        if (!isExternalNetworkProvider()) {
-            return supportedServices == null ? new ArrayList<String>() : supportedServices;
-        } else {
-            List<String> services = new ArrayList<>(List.of(
-                    Dhcp.getName(),
-                    Dns.getName(),
-                    UserData.getName()
-            ));
-            if (NetworkOffering.NetworkMode.NATTED.name().equalsIgnoreCase(getNetworkMode())) {
-                services.addAll(Arrays.asList(
-                        StaticNat.getName(),
-                        SourceNat.getName(),
-                        PortForwarding.getName()));
-            }
-            if (getNsxSupportsLbService() || (provider != null && isNetrisNatted(getProvider(), getNetworkMode()))) {
-                services.add(Lb.getName());
-            }
-            if (Boolean.TRUE.equals(forVpc)) {
-                services.add(NetworkACL.getName());
-            } else {
-                services.add(Firewall.getName());
-            }
-            return services;
-        }
-    }
-
     public String getGuestIpType() {
         return guestIptype;
     }
 
-    public String getInternetProtocol() {
-        return internetProtocol;
-    }
-
-    public Boolean getSpecifyIpRanges() {
-        return specifyIpRanges == null ? false : specifyIpRanges;
-    }
-
-    public Boolean getConserveMode() {
-        if (conserveMode == null) {
-            return true;
-        }
-        return conserveMode;
-    }
-
-    public Boolean getIsPersistent() {
-        return isPersistent == null ? false : isPersistent;
-    }
-
-    public Boolean getForVpc() {
-        return forVpc;
-    }
-
-    public String getNetworkMode() {
-        return networkMode;
-    }
-
-    public boolean getNsxSupportsLbService() {
-        return BooleanUtils.isTrue(nsxSupportsLbService);
-    }
-
-    public boolean getNsxSupportsInternalLbService() {
-        return BooleanUtils.isTrue(nsxSupportsInternalLbService);
-    }
-
-    public Boolean getForTungsten() {
-        return forTungsten;
-    }
-
-    public Boolean getEgressDefaultPolicy() {
-        if (egressDefaultPolicy == null) {
-            return true;
-        }
-        return egressDefaultPolicy;
-    }
-
-    public Boolean getKeepAliveEnabled() {
-        return keepAliveEnabled;
-    }
-
-    public Integer getMaxconnections() {
-        return maxConnections;
-    }
-
-    public Map<String, List<String>> getServiceProviders() {
-        Map<String, List<String>> serviceProviderMap = new HashMap<>();
-        if (serviceProviderList != null && !serviceProviderList.isEmpty() && !isExternalNetworkProvider()) {
-            Collection servicesCollection = serviceProviderList.values();
-            Iterator iter = servicesCollection.iterator();
-            while (iter.hasNext()) {
-                HashMap<String, String> services = (HashMap<String, String>) iter.next();
-                String service = services.get("service");
-                String provider = services.get("provider");
-                List<String> providerList = null;
-                if (serviceProviderMap.containsKey(service)) {
-                    providerList = serviceProviderMap.get(service);
-                } else {
-                    providerList = new ArrayList<String>();
-                }
-                providerList.add(provider);
-                serviceProviderMap.put(service, providerList);
-            }
-        } else if (isExternalNetworkProvider()) {
-            getServiceProviderMapForExternalProvider(serviceProviderMap, Network.Provider.getProvider(provider).getName());
-        }
-        return serviceProviderMap;
-    }
-
-    private void getServiceProviderMapForExternalProvider(Map<String, List<String>> serviceProviderMap, String provider) {
-        String routerProvider = Boolean.TRUE.equals(getForVpc()) ? VirtualRouterProvider.Type.VPCVirtualRouter.name() :
-                VirtualRouterProvider.Type.VirtualRouter.name();
-        List<String> unsupportedServices = new ArrayList<>(List.of("Vpn", "Gateway", "SecurityGroup", "Connectivity", "BaremetalPxeService"));
-        List<String> routerSupported = List.of("Dhcp", "Dns", "UserData");
-        List<String> allServices = Service.listAllServices().stream().map(Service::getName).collect(Collectors.toList());
-        if (routerProvider.equals(VirtualRouterProvider.Type.VPCVirtualRouter.name())) {
-            unsupportedServices.add("Firewall");
-        } else {
-            unsupportedServices.add("NetworkACL");
-        }
-        for (String service : allServices) {
-            if (unsupportedServices.contains(service))
-                continue;
-            if (routerSupported.contains(service))
-                serviceProviderMap.put(service, List.of(routerProvider));
-            else if (NetworkOffering.NetworkMode.NATTED.name().equalsIgnoreCase(getNetworkMode()) || NetworkACL.getName().equalsIgnoreCase(service)) {
-                    serviceProviderMap.put(service, List.of(provider));
-                }
-            if (isNsxWithoutLb(getProvider(), getNsxSupportsLbService()) || isNetrisRouted(getProvider(), getNetworkMode())) {
-                serviceProviderMap.remove(Lb.getName());
-            }
-        }
-    }
-
-    public Map<Capability, String> getServiceCapabilities(Service service) {
-        Map<Capability, String> capabilityMap = null;
-
-        if (serviceCapabilitystList != null && !serviceCapabilitystList.isEmpty()) {
-            capabilityMap = new HashMap<Capability, String>();
-            Collection serviceCapabilityCollection = serviceCapabilitystList.values();
-            Iterator iter = serviceCapabilityCollection.iterator();
-            while (iter.hasNext()) {
-                HashMap<String, String> svcCapabilityMap = (HashMap<String, String>) iter.next();
-                Capability capability = null;
-                String svc = svcCapabilityMap.get("service");
-                String capabilityName = svcCapabilityMap.get("capabilitytype");
-                String capabilityValue = svcCapabilityMap.get("capabilityvalue");
-
-                if (capabilityName != null) {
-                    capability = Capability.getCapability(capabilityName);
-                }
-
-                if ((capability == null) || (capabilityName == null) || (capabilityValue == null)) {
-                    throw new InvalidParameterValueException("Invalid capability:" + capabilityName + " capability value:" + capabilityValue);
-                }
-
-                if (svc.equalsIgnoreCase(service.getName())) {
-                    capabilityMap.put(capability, capabilityValue);
-                } else {
-                    //throw new InvalidParameterValueException("Service is not equal ")
-                }
-            }
-        }
-
-        return capabilityMap;
-    }
-
-    public Map<String, String> getDetails() {
-        if (details == null || details.isEmpty()) {
-            return null;
-        }
-
-        Collection paramsCollection = details.values();
-        Object objlist[] = paramsCollection.toArray();
-        Map<String, String> params = (Map<String, String>) (objlist[0]);
-        for (int i = 1; i < objlist.length; i++) {
-            params.putAll((Map<String, String>) (objlist[i]));
-        }
-
-        return params;
-    }
-
-    public String getServicePackageId() {
-        Map<String, String> data = getDetails();
-        if (data == null)
-            return null;
-        return data.get(NetworkOffering.Detail.servicepackageuuid + "");
-    }
-
-    public List<Long> getDomainIds() {
-        if (CollectionUtils.isNotEmpty(domainIds)) {
-            Set<Long> set = new LinkedHashSet<>(domainIds);
-            domainIds.clear();
-            domainIds.addAll(set);
-        }
-        return domainIds;
-    }
-
-    public List<Long> getZoneIds() {
-        if (CollectionUtils.isNotEmpty(zoneIds)) {
-            Set<Long> set = new LinkedHashSet<>(zoneIds);
-            zoneIds.clear();
-            zoneIds.addAll(set);
-        }
-        return zoneIds;
-    }
-
-    public Boolean getEnable() {
-        if (enable != null) {
-            return enable;
-        }
-        return false;
-    }
-
-    public boolean getSpecifyAsNumber() {
-        return BooleanUtils.toBoolean(specifyAsNumber);
-    }
-
-    public String getRoutingMode() {
-        return routingMode;
-    }
-
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
-    @Override
-    public long getEntityOwnerId() {
-        return Account.ACCOUNT_ID_SYSTEM;
-    }
 
     @Override
     public void execute() {
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreatePhysicalNetworkCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreatePhysicalNetworkCmd.java
index 75444bebd3d..097b8a5b545 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreatePhysicalNetworkCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/CreatePhysicalNetworkCmd.java
@@ -75,7 +75,7 @@ public class CreatePhysicalNetworkCmd extends BaseAsyncCreateCmd {
     @Parameter(name = ApiConstants.ISOLATION_METHODS,
                type = CommandType.LIST,
                collectionType = CommandType.STRING,
-               description = "The isolation method for the physical Network[VLAN/L3/GRE]")
+               description = "The isolation method for the physical Network[VLAN/VXLAN/GRE/STT/BCF_SEGMENT/SSP/ODL/L3VPN/VCS/NSX/NETRIS]")
     private List<String> isolationMethods;
 
     @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "The name of the physical Network")
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java
new file mode 100644
index 00000000000..1c832b7217e
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/network/NetworkOfferingBaseCmd.java
@@ -0,0 +1,493 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.network;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.network.Network;
+import com.cloud.network.VirtualRouterProvider;
+import com.cloud.offering.NetworkOffering;
+import com.cloud.user.Account;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.DomainResponse;
+import org.apache.cloudstack.api.response.ServiceOfferingResponse;
+import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import static com.cloud.network.Network.Service.Dhcp;
+import static com.cloud.network.Network.Service.Dns;
+import static com.cloud.network.Network.Service.Firewall;
+import static com.cloud.network.Network.Service.Lb;
+import static com.cloud.network.Network.Service.NetworkACL;
+import static com.cloud.network.Network.Service.PortForwarding;
+import static com.cloud.network.Network.Service.SourceNat;
+import static com.cloud.network.Network.Service.StaticNat;
+import static com.cloud.network.Network.Service.UserData;
+
+import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNsxWithoutLb;
+import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNetrisNatted;
+import static org.apache.cloudstack.api.command.utils.OfferingUtils.isNetrisRouted;
+
+public abstract class NetworkOfferingBaseCmd extends BaseCmd {
+
+    public abstract String getGuestIpType();
+    public abstract String getTraffictype();
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "The name of the network offering")
+    private String networkOfferingName;
+
+    @Parameter(name = ApiConstants.DISPLAY_TEXT, type = CommandType.STRING, description = "The display text of the network offering, defaults to the value of 'name'.")
+    private String displayText;
+
+    @Parameter(name = ApiConstants.TAGS, type = CommandType.STRING, description = "The tags for the network offering.", length = 4096)
+    private String tags;
+
+    @Parameter(name = ApiConstants.SPECIFY_VLAN, type = CommandType.BOOLEAN, description = "True if network offering supports VLANs")
+    private Boolean specifyVlan;
+
+    @Parameter(name = ApiConstants.AVAILABILITY, type = CommandType.STRING, description = "The availability of network offering. The default value is Optional. "
+            + " Another value is Required, which will make it as the default network offering for new networks ")
+    private String availability;
+
+    @Parameter(name = ApiConstants.NETWORKRATE, type = CommandType.INTEGER, description = "Data transfer rate in megabits per second allowed")
+    private Integer networkRate;
+
+    @Parameter(name = ApiConstants.CONSERVE_MODE, type = CommandType.BOOLEAN, description = "True if the network offering is IP conserve mode enabled")
+    private Boolean conserveMode;
+
+    @Parameter(name = ApiConstants.SERVICE_OFFERING_ID,
+            type = CommandType.UUID,
+            entityType = ServiceOfferingResponse.class,
+            description = "The service offering ID used by virtual router provider")
+    private Long serviceOfferingId;
+
+    @Parameter(name = ApiConstants.INTERNET_PROTOCOL,
+            type = CommandType.STRING,
+            description = "The internet protocol of network offering. Options are IPv4 and dualstack. Default is IPv4. dualstack will create a network offering that supports both IPv4 and IPv6",
+            since = "4.17.0")
+    private String internetProtocol;
+
+    @Parameter(name = ApiConstants.SUPPORTED_SERVICES,
+            type = CommandType.LIST,
+            collectionType = CommandType.STRING,
+            description = "Services supported by the network offering")
+    private List<String> supportedServices;
+
+    @Parameter(name = ApiConstants.SERVICE_PROVIDER_LIST,
+            type = CommandType.MAP,
+            description = "Provider to service mapping. If not specified, the provider for the service will be mapped to the default provider on the physical network")
+    private Map serviceProviderList;
+
+    @Parameter(name = ApiConstants.SERVICE_CAPABILITY_LIST, type = CommandType.MAP, description = "Desired service capabilities as part of network offering")
+    private Map serviceCapabilitiesList;
+
+    @Parameter(name = ApiConstants.SPECIFY_IP_RANGES,
+            type = CommandType.BOOLEAN,
+            description = "True if network offering supports specifying ip ranges; defaulted to false if not specified")
+    private Boolean specifyIpRanges;
+
+    @Parameter(name = ApiConstants.IS_PERSISTENT,
+            type = CommandType.BOOLEAN,
+            description = "True if network offering supports persistent networks; defaulted to false if not specified")
+    private Boolean isPersistent;
+
+    @Parameter(name = ApiConstants.FOR_VPC,
+            type = CommandType.BOOLEAN,
+            description = "True if network offering is meant to be used for VPC, false otherwise.")
+    private Boolean forVpc;
+
+    @Deprecated
+    @Parameter(name = ApiConstants.FOR_NSX,
+            type = CommandType.BOOLEAN,
+            description = "true if network offering is meant to be used for NSX, false otherwise.",
+            since = "4.20.0")
+    private Boolean forNsx;
+
+    @Parameter(name = ApiConstants.PROVIDER,
+            type = CommandType.STRING,
+            description = "Name of the provider providing the service",
+            since = "4.21.0")
+    private String provider;
+
+    @Parameter(name = ApiConstants.NSX_SUPPORT_LB,
+            type = CommandType.BOOLEAN,
+            description = "True if network offering for NSX network offering supports Load balancer service.",
+            since = "4.20.0")
+    private Boolean nsxSupportsLbService;
+
+    @Parameter(name = ApiConstants.NSX_SUPPORTS_INTERNAL_LB,
+            type = CommandType.BOOLEAN,
+            description = "True if network offering for NSX network offering supports Internal Load balancer service.",
+            since = "4.20.0")
+    private Boolean nsxSupportsInternalLbService;
+
+    @Parameter(name = ApiConstants.NETWORK_MODE,
+            type = CommandType.STRING,
+            description = "Indicates the mode with which the network will operate. Valid option: NATTED or ROUTED",
+            since = "4.20.0")
+    private String networkMode;
+
+    @Parameter(name = ApiConstants.FOR_TUNGSTEN,
+            type = CommandType.BOOLEAN,
+            description = "True if network offering is meant to be used for Tungsten-Fabric, false otherwise.")
+    private Boolean forTungsten;
+
+    @Parameter(name = ApiConstants.DETAILS, type = CommandType.MAP, since = "4.2.0", description = "Network offering details in key/value pairs."
+            + " Supported keys are internallbprovider/publiclbprovider with service provider as a value, and"
+            + " promiscuousmode/macaddresschanges/forgedtransmits with true/false as value to accept/reject the security settings if available for a nic/portgroup")
+    protected Map details;
+
+    @Parameter(name = ApiConstants.EGRESS_DEFAULT_POLICY,
+            type = CommandType.BOOLEAN,
+            description = "True if guest network default egress policy is allow; false if default egress policy is deny")
+    private Boolean egressDefaultPolicy;
+
+    @Parameter(name = ApiConstants.KEEPALIVE_ENABLED,
+            type = CommandType.BOOLEAN,
+            required = false,
+            description = "If true keepalive will be turned on in the loadbalancer. At the time of writing this has only an effect on haproxy; the mode http and httpclose options are unset in the haproxy conf file.")
+    private Boolean keepAliveEnabled;
+
+    @Parameter(name = ApiConstants.MAX_CONNECTIONS,
+            type = CommandType.INTEGER,
+            description = "Maximum number of concurrent connections supported by the Network offering")
+    private Integer maxConnections;
+
+    @Parameter(name = ApiConstants.DOMAIN_ID,
+            type = CommandType.LIST,
+            collectionType = CommandType.UUID,
+            entityType = DomainResponse.class,
+            description = "The ID of the containing domain(s), null for public offerings")
+    private List<Long> domainIds;
+
+    @Parameter(name = ApiConstants.ZONE_ID,
+            type = CommandType.LIST,
+            collectionType = CommandType.UUID,
+            entityType = ZoneResponse.class,
+            description = "The ID of the containing zone(s), null for public offerings",
+            since = "4.13")
+    private List<Long> zoneIds;
+
+    @Parameter(name = ApiConstants.ENABLE,
+            type = CommandType.BOOLEAN,
+            description = "Set to true if the offering is to be enabled during creation. Default is false",
+            since = "4.16")
+    private Boolean enable;
+
+    @Parameter(name = ApiConstants.SPECIFY_AS_NUMBER, type = CommandType.BOOLEAN, since = "4.20.0",
+            description = "true if network offering supports choosing AS number")
+    private Boolean specifyAsNumber;
+
+    @Parameter(name = ApiConstants.ROUTING_MODE,
+            type = CommandType.STRING,
+            since = "4.20.0",
+            description = "the routing mode for the network offering. Supported types are: Static or Dynamic.")
+    private String routingMode;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public String getNetworkOfferingName() {
+        return networkOfferingName;
+    }
+
+    public String getDisplayText() {
+        return StringUtils.isEmpty(displayText) ? networkOfferingName : displayText;
+    }
+
+    public String getTags() {
+        return tags;
+    }
+
+    public Boolean getSpecifyVlan() {
+        return specifyVlan == null ? false : specifyVlan;
+    }
+
+    public String getAvailability() {
+        return availability == null ? NetworkOffering.Availability.Optional.toString() : availability;
+    }
+
+    public Integer getNetworkRate() {
+        return networkRate;
+    }
+
+    public Long getServiceOfferingId() {
+        return serviceOfferingId;
+    }
+
+    public boolean isExternalNetworkProvider() {
+        return Arrays.asList("NSX", "Netris").stream()
+                .anyMatch(s -> provider != null && s.equalsIgnoreCase(provider));
+    }
+
+    public boolean isForNsx() {
+        return provider != null && provider.equalsIgnoreCase("NSX");
+    }
+
+    public boolean isForNetris() {
+        return provider != null && provider.equalsIgnoreCase("Netris");
+    }
+
+    public String getProvider() {
+        return provider;
+    }
+
+    public List<String> getSupportedServices() {
+        if (!isExternalNetworkProvider()) {
+            return supportedServices == null ? new ArrayList<String>() : supportedServices;
+        } else {
+            List<String> services = new ArrayList<>(List.of(
+                    Dhcp.getName(),
+                    Dns.getName(),
+                    UserData.getName()
+            ));
+            if (NetworkOffering.NetworkMode.NATTED.name().equalsIgnoreCase(getNetworkMode())) {
+                services.addAll(Arrays.asList(
+                        StaticNat.getName(),
+                        SourceNat.getName(),
+                        PortForwarding.getName()));
+            }
+            if (getNsxSupportsLbService() || (provider != null && isNetrisNatted(getProvider(), getNetworkMode()))) {
+                services.add(Lb.getName());
+            }
+            if (Boolean.TRUE.equals(forVpc)) {
+                services.add(NetworkACL.getName());
+            } else {
+                services.add(Firewall.getName());
+            }
+            return services;
+        }
+    }
+
+    public String getInternetProtocol() {
+        return internetProtocol;
+    }
+
+    public Boolean getSpecifyIpRanges() {
+        return specifyIpRanges == null ? false : specifyIpRanges;
+    }
+
+    public Boolean getConserveMode() {
+        if (conserveMode == null) {
+            return true;
+        }
+        return conserveMode;
+    }
+
+    public Boolean getIsPersistent() {
+        return isPersistent == null ? false : isPersistent;
+    }
+
+    public Boolean getForVpc() {
+        return forVpc;
+    }
+
+    public String getNetworkMode() {
+        return networkMode;
+    }
+
+    public boolean getNsxSupportsLbService() {
+        return BooleanUtils.isTrue(nsxSupportsLbService);
+    }
+
+    public boolean getNsxSupportsInternalLbService() {
+        return BooleanUtils.isTrue(nsxSupportsInternalLbService);
+    }
+
+    public Boolean getForTungsten() {
+        return forTungsten;
+    }
+
+    public Boolean getEgressDefaultPolicy() {
+        if (egressDefaultPolicy == null) {
+            return true;
+        }
+        return egressDefaultPolicy;
+    }
+
+    public Boolean getKeepAliveEnabled() {
+        return keepAliveEnabled;
+    }
+
+    public Integer getMaxconnections() {
+        return maxConnections;
+    }
+
+    public Map<String, List<String>> getServiceProviders() {
+        Map<String, List<String>> serviceProviderMap = new HashMap<>();
+        if (serviceProviderList != null && !serviceProviderList.isEmpty() && !isExternalNetworkProvider()) {
+            Collection servicesCollection = serviceProviderList.values();
+            Iterator iter = servicesCollection.iterator();
+            while (iter.hasNext()) {
+                HashMap<String, String> services = (HashMap<String, String>) iter.next();
+                String service = services.get("service");
+                String provider = services.get("provider");
+                List<String> providerList = null;
+                if (serviceProviderMap.containsKey(service)) {
+                    providerList = serviceProviderMap.get(service);
+                } else {
+                    providerList = new ArrayList<String>();
+                }
+                providerList.add(provider);
+                serviceProviderMap.put(service, providerList);
+            }
+        } else if (isExternalNetworkProvider()) {
+            getServiceProviderMapForExternalProvider(serviceProviderMap, Network.Provider.getProvider(provider).getName());
+        }
+        return serviceProviderMap;
+    }
+
+    private void getServiceProviderMapForExternalProvider(Map<String, List<String>> serviceProviderMap, String provider) {
+        String routerProvider = Boolean.TRUE.equals(getForVpc()) ? VirtualRouterProvider.Type.VPCVirtualRouter.name() :
+                VirtualRouterProvider.Type.VirtualRouter.name();
+        List<String> unsupportedServices = new ArrayList<>(List.of("Vpn", "Gateway", "SecurityGroup", "Connectivity", "BaremetalPxeService"));
+        List<String> routerSupported = List.of("Dhcp", "Dns", "UserData");
+        List<String> allServices = Network.Service.listAllServices().stream().map(Network.Service::getName).collect(Collectors.toList());
+        if (routerProvider.equals(VirtualRouterProvider.Type.VPCVirtualRouter.name())) {
+            unsupportedServices.add("Firewall");
+        } else {
+            unsupportedServices.add("NetworkACL");
+        }
+        for (String service : allServices) {
+            if (unsupportedServices.contains(service))
+                continue;
+            if (routerSupported.contains(service))
+                serviceProviderMap.put(service, List.of(routerProvider));
+            else if (NetworkOffering.NetworkMode.NATTED.name().equalsIgnoreCase(getNetworkMode()) || NetworkACL.getName().equalsIgnoreCase(service)) {
+                serviceProviderMap.put(service, List.of(provider));
+            }
+            if (isNsxWithoutLb(getProvider(), getNsxSupportsLbService()) || isNetrisRouted(getProvider(), getNetworkMode())) {
+                serviceProviderMap.remove(Lb.getName());
+            }
+        }
+    }
+
+    public Map<Network.Capability, String> getServiceCapabilities(Network.Service service) {
+        Map<Network.Capability, String> capabilityMap = null;
+
+        if (serviceCapabilitiesList != null && !serviceCapabilitiesList.isEmpty()) {
+            capabilityMap = new HashMap<Network.Capability, String>();
+            Collection serviceCapabilityCollection = serviceCapabilitiesList.values();
+            Iterator iter = serviceCapabilityCollection.iterator();
+            while (iter.hasNext()) {
+                HashMap<String, String> svcCapabilityMap = (HashMap<String, String>) iter.next();
+                Network.Capability capability = null;
+                String svc = svcCapabilityMap.get("service");
+                String capabilityName = svcCapabilityMap.get("capabilitytype");
+                String capabilityValue = svcCapabilityMap.get("capabilityvalue");
+
+                if (capabilityName != null) {
+                    capability = Network.Capability.getCapability(capabilityName);
+                }
+
+                if ((capability == null) || (capabilityName == null) || (capabilityValue == null)) {
+                    throw new InvalidParameterValueException("Invalid capability:" + capabilityName + " capability value:" + capabilityValue);
+                }
+
+                if (svc.equalsIgnoreCase(service.getName())) {
+                    capabilityMap.put(capability, capabilityValue);
+                } else {
+                    //throw new InvalidParameterValueException("Service is not equal ")
+                }
+            }
+        }
+
+        return capabilityMap;
+    }
+
+    public Map<String, String> getDetails() {
+        if (details == null || details.isEmpty()) {
+            return null;
+        }
+
+        Collection paramsCollection = details.values();
+        Object objlist[] = paramsCollection.toArray();
+        Map<String, String> params = (Map<String, String>) (objlist[0]);
+        for (int i = 1; i < objlist.length; i++) {
+            params.putAll((Map<String, String>) (objlist[i]));
+        }
+
+        return params;
+    }
+
+    public String getServicePackageId() {
+        Map<String, String> data = getDetails();
+        if (data == null)
+            return null;
+        return data.get(NetworkOffering.Detail.servicepackageuuid + "");
+    }
+
+    public List<Long> getDomainIds() {
+        if (CollectionUtils.isNotEmpty(domainIds)) {
+            Set<Long> set = new LinkedHashSet<>(domainIds);
+            domainIds.clear();
+            domainIds.addAll(set);
+        }
+        return domainIds;
+    }
+
+    public List<Long> getZoneIds() {
+        if (CollectionUtils.isNotEmpty(zoneIds)) {
+            Set<Long> set = new LinkedHashSet<>(zoneIds);
+            zoneIds.clear();
+            zoneIds.addAll(set);
+        }
+        return zoneIds;
+    }
+
+    public Boolean getEnable() {
+        if (enable != null) {
+            return enable;
+        }
+        return false;
+    }
+
+    public boolean getSpecifyAsNumber() {
+        return BooleanUtils.toBoolean(specifyAsNumber);
+    }
+
+    public String getRoutingMode() {
+        return routingMode;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+    @Override
+    public long getEntityOwnerId() {
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CloneDiskOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CloneDiskOfferingCmd.java
new file mode 100644
index 00000000000..8d822be203a
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CloneDiskOfferingCmd.java
@@ -0,0 +1,73 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.offering;
+
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.DiskOfferingResponse;
+
+import com.cloud.offering.DiskOffering;
+
+@APICommand(name = "cloneDiskOffering",
+        description = "Clones a disk offering. All parameters from createDiskOffering are available. If not specified, values will be copied from the source offering.",
+        responseObject = DiskOfferingResponse.class,
+        requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = false,
+        since = "4.23.0",
+        authorized = {RoleType.Admin, RoleType.DomainAdmin})
+public class CloneDiskOfferingCmd extends CreateDiskOfferingCmd {
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.SOURCE_OFFERING_ID,
+            type = BaseCmd.CommandType.UUID,
+            entityType = DiskOfferingResponse.class,
+            required = true,
+            description = "The ID of the source disk offering to clone from")
+    private Long sourceOfferingId;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getSourceOfferingId() {
+        return sourceOfferingId;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() {
+        DiskOffering result = _configService.cloneDiskOffering(this);
+        if (result != null) {
+            DiskOfferingResponse response = _responseGenerator.createDiskOfferingResponse(result);
+            response.setResponseName(getCommandName());
+            this.setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to clone disk offering");
+        }
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CloneServiceOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CloneServiceOfferingCmd.java
new file mode 100644
index 00000000000..d01ca4c195d
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/offering/CloneServiceOfferingCmd.java
@@ -0,0 +1,79 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.offering;
+
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.ServiceOfferingResponse;
+
+import com.cloud.offering.ServiceOffering;
+
+@APICommand(name = "cloneServiceOffering",
+        description = "Clones a service offering. All parameters from createServiceOffering are available. If not specified, values will be copied from the source offering.",
+        responseObject = ServiceOfferingResponse.class,
+        requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = false,
+        since = "4.23.0",
+        authorized = {RoleType.Admin, RoleType.DomainAdmin})
+public class CloneServiceOfferingCmd extends CreateServiceOfferingCmd {
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.SOURCE_OFFERING_ID,
+            type = CommandType.UUID,
+            entityType = ServiceOfferingResponse.class,
+            required = true,
+            description = "The ID of the source service offering to clone from")
+    private Long sourceOfferingId;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getSourceOfferingId() {
+        return sourceOfferingId;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+
+    @Override
+    public void execute() {
+        try {
+            ServiceOffering result = _configService.cloneServiceOffering(this);
+            if (result != null) {
+                ServiceOfferingResponse response = _responseGenerator.createServiceOfferingResponse(result);
+                response.setResponseName(getCommandName());
+                this.setResponseObject(response);
+            } else {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to clone service offering");
+            }
+        } catch (com.cloud.exception.InvalidParameterValueException e) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, e.getMessage());
+        } catch (com.cloud.utils.exception.CloudRuntimeException e) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, e.getMessage());
+        }
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/storage/AddImageStoreS3CMD.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/storage/AddImageStoreS3CMD.java
index 2fe3c7cd106..75fcf125eb1 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/storage/AddImageStoreS3CMD.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/storage/AddImageStoreS3CMD.java
@@ -27,7 +27,7 @@ import static org.apache.cloudstack.api.ApiConstants.S3_END_POINT;
 import static org.apache.cloudstack.api.ApiConstants.S3_HTTPS_FLAG;
 import static org.apache.cloudstack.api.ApiConstants.S3_MAX_ERROR_RETRY;
 import static org.apache.cloudstack.api.ApiConstants.S3_SIGNER;
-import static org.apache.cloudstack.api.ApiConstants.S3_SECRET_KEY;
+import static org.apache.cloudstack.api.ApiConstants.SECRET_KEY;
 import static org.apache.cloudstack.api.ApiConstants.S3_SOCKET_TIMEOUT;
 import static org.apache.cloudstack.api.ApiConstants.S3_USE_TCP_KEEPALIVE;
 import static org.apache.cloudstack.api.BaseCmd.CommandType.BOOLEAN;
@@ -64,7 +64,7 @@ public final class AddImageStoreS3CMD extends BaseCmd implements ClientOptions {
     @Parameter(name = S3_ACCESS_KEY, type = STRING, required = true, description = "S3 access key")
     private String accessKey;
 
-    @Parameter(name = S3_SECRET_KEY, type = STRING, required = true, description = "S3 secret key")
+    @Parameter(name = SECRET_KEY, type = STRING, required = true, description = "S3 secret key")
     private String secretKey;
 
     @Parameter(name = S3_END_POINT, type = STRING, required = true, description = "S3 endpoint")
@@ -101,7 +101,7 @@ public final class AddImageStoreS3CMD extends BaseCmd implements ClientOptions {
         Map<String, String> dm = new HashMap();
 
         dm.put(ApiConstants.S3_ACCESS_KEY, getAccessKey());
-        dm.put(ApiConstants.S3_SECRET_KEY, getSecretKey());
+        dm.put(ApiConstants.SECRET_KEY, getSecretKey());
         dm.put(ApiConstants.S3_END_POINT, getEndPoint());
         dm.put(ApiConstants.S3_BUCKET_NAME, getBucketName());
 
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/DeleteUserKeysCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/DeleteUserKeysCmd.java
new file mode 100644
index 00000000000..6cf55514ba3
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/DeleteUserKeysCmd.java
@@ -0,0 +1,81 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.user;
+
+import com.cloud.event.EventTypes;
+import com.cloud.user.Account;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.SuccessResponse;
+
+@APICommand(name = "deleteUserKeys", description = "Deletes a keypair from a user", responseObject = SuccessResponse.class,
+        since = "4.23.0", requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
+public class DeleteUserKeysCmd extends BaseAsyncCmd {
+    @ACL
+    @Parameter(name = ApiConstants.KEYPAIR_ID, type = CommandType.UUID, entityType = ApiKeyPairResponse.class, required = true, description = "ID of the keypair to be deleted.")
+    private Long id;
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.User;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        ApiKeyPair keyPair = apiKeyPairService.findById(id);
+        if (keyPair != null) {
+            return keyPair.getAccountId();
+        }
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    public Long getId() {
+        return id;
+    }
+
+    @Override
+    public void execute() {
+        _accountService.deleteApiKey(this);
+
+        SuccessResponse response = new SuccessResponse(getCommandName());
+        this.setResponseObject(response);
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_DELETE_SECRET_API_KEY;
+    }
+
+    @Override
+    public String getEventDescription() {
+        ApiKeyPair keyPair = apiKeyPairService.findById(id);
+        return String.format("Deleting API key pair with ID [%s]%s",
+                keyPair == null ? id : keyPair.getUuid(),
+                keyPair == null ? "." : String.format(" and name [%s].", keyPair.getName()));
+    }
+
+    @Override
+    public Long getSyncObjId() {
+        return getId();
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java
index f04c5f6c478..a651befcff7 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/GetUserKeysCmd.java
@@ -32,33 +32,33 @@ import org.apache.cloudstack.api.response.UserResponse;
 import java.util.Map;
 
 @APICommand(name = "getUserKeys",
-            description = "This command allows the user to query the seceret and API keys for the account",
-            responseObject = RegisterUserKeyResponse.class,
-            requestHasSensitiveInfo = false,
-            responseHasSensitiveInfo = true,
-            authorized = {RoleType.User, RoleType.Admin, RoleType.DomainAdmin, RoleType.ResourceAdmin},
-            since = "4.10.0")
-
-public class GetUserKeysCmd extends BaseCmd{
-
-    @Parameter(name= ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, required = true, description = "ID of the user whose keys are required")
+        description = "Queries the last registered secret and API keys of a user.",
+        responseObject = RegisterUserKeyResponse.class,
+        requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = true,
+        authorized = {RoleType.User, RoleType.Admin, RoleType.DomainAdmin, RoleType.ResourceAdmin},
+        since = "4.10.0")
+public class GetUserKeysCmd extends BaseCmd {
+    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, required = true, description = "ID of the user whose keys are required")
     private Long id;
 
-
-    public Long getID(){
+    public Long getId() {
         return id;
-    }public long getEntityOwnerId(){
-        User user = _entityMgr.findById(User.class, getID());
-        if(user != null){
+    }
+
+    public long getEntityOwnerId() {
+        User user = _entityMgr.findById(User.class, getId());
+        if (user != null) {
             return user.getAccountId();
         }
-        else return Account.ACCOUNT_ID_SYSTEM;
+        return Account.ACCOUNT_ID_SYSTEM;
     }
-    public void execute(){
+
+    public void execute() {
         Pair<Boolean, Map<String, String>> keys = _accountService.getKeys(this);
 
         RegisterUserKeyResponse response = new RegisterUserKeyResponse();
-        if(keys != null){
+        if (keys != null){
             response.setApiKeyAccess(keys.first());
             response.setApiKey(keys.second().get("apikey"));
             response.setSecretKey(keys.second().get("secretkey"));
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/ListUserKeyRulesCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/ListUserKeyRulesCmd.java
new file mode 100644
index 00000000000..4345cae9291
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/ListUserKeyRulesCmd.java
@@ -0,0 +1,68 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.user;
+
+
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.user.Account;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.BaseRolePermissionResponse;
+import org.apache.cloudstack.api.response.ListResponse;
+
+import java.util.List;
+
+@APICommand(name = "listUserKeyRules",
+            description = "Lists the rules defined for a API key pair.",
+            responseObject = BaseRolePermissionResponse.class,
+            requestHasSensitiveInfo = false,
+            responseHasSensitiveInfo = false,
+            since = "4.23.0")
+public class ListUserKeyRulesCmd extends BaseCmd {
+    @ACL
+    @Parameter(name = ApiConstants.KEYPAIR_ID, type = CommandType.UUID,  entityType = ApiKeyPairResponse.class, description = "ID of the key pair.", required = true)
+    private Long id;
+
+    public Long getId() {
+        return id;
+    }
+
+    public long getEntityOwnerId() {
+        ApiKeyPair keyPair = apiKeyPairService.findById(getId());
+        if (keyPair != null) {
+            return keyPair.getAccountId();
+        }
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException {
+        List<ApiKeyPairPermission> permissions = _accountService.listKeyRules(this);
+        ListResponse<BaseRolePermissionResponse> response = _responseGenerator.createKeypairPermissionsResponse(permissions);
+        response.setResponseName(getCommandName());
+        setResponseObject(response);
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/ListUserKeysCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/ListUserKeysCmd.java
new file mode 100644
index 00000000000..ded05d6381a
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/ListUserKeysCmd.java
@@ -0,0 +1,101 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.user;
+
+
+import com.cloud.user.Account;
+import com.cloud.user.UserAccount;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseListCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.UserResponse;
+
+@APICommand(name = "listUserKeys",
+        description = "Lists the API key pairs (API and secret keys) of a user.",
+        responseObject = ApiKeyPairResponse.class,
+        requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = true,
+        authorized = {RoleType.User, RoleType.Admin, RoleType.DomainAdmin, RoleType.ResourceAdmin},
+        since = "4.23.0")
+public class ListUserKeysCmd extends BaseListCmd {
+    @ACL
+    @Parameter(name = ApiConstants.USER_ID, type = CommandType.UUID, entityType = UserResponse.class, description = "ID of the user that owns the keys.")
+    private Long userId;
+
+    @ACL
+    @Parameter(name = ApiConstants.KEYPAIR_ID, type = CommandType.UUID, entityType = ApiKeyPairResponse.class, description = "ID of the key pair.")
+    private Long keyPairId;
+
+    @Parameter(name = ApiConstants.API_KEY_FILTER, type = CommandType.STRING, description = "API key of the key pair.")
+    private String apiKeyFilter;
+
+    @Parameter(name = ApiConstants.SHOW_PERMISSIONS, type = CommandType.BOOLEAN, description = "Whether API Key rules should be returned. Defaults to false.")
+    private boolean showPermissions = false;
+
+    @Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN, authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin},
+            description = "Lists all API key pairs of users that are accessible by the calling account. Only available for administrators. Defaults to false.")
+    private boolean listAll = false;
+
+    public Long getUserId() {
+        return userId;
+    }
+
+    public Long getKeyId() {
+        return keyPairId;
+    }
+
+    public String getApiKeyFilter() {
+        return apiKeyFilter;
+    }
+
+    public Boolean getShowPermissions() {
+        return showPermissions;
+    }
+
+    public boolean getListAll() {
+        return listAll;
+    }
+
+    public long getEntityOwnerId() {
+        if (getKeyId() != null) {
+            ApiKeyPair keypair = apiKeyPairService.findById(getKeyId());
+            if (keypair != null) {
+                return keypair.getAccountId();
+            }
+        } else if (getUserId() != null) {
+            UserAccount userAccount = _accountService.getUserAccountById(getUserId());
+            if (userAccount != null) {
+                return userAccount.getAccountId();
+            }
+        }
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    public void execute() {
+        ListResponse<ApiKeyPairResponse> finalResponse = _accountService.listKeys(this);
+        finalResponse.setObjectName("userkeys");
+        finalResponse.setResponseName(getCommandName());
+        setResponseObject(finalResponse);
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/RegisterUserKeyCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/RegisterUserKeyCmd.java
deleted file mode 100644
index 61f47e2799c..00000000000
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/RegisterUserKeyCmd.java
+++ /dev/null
@@ -1,93 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package org.apache.cloudstack.api.command.admin.user;
-
-import org.apache.cloudstack.api.ApiCommandResourceType;
-
-import org.apache.cloudstack.api.APICommand;
-import org.apache.cloudstack.api.ApiConstants;
-import org.apache.cloudstack.api.BaseCmd;
-import org.apache.cloudstack.api.Parameter;
-import org.apache.cloudstack.api.response.RegisterUserKeyResponse;
-import org.apache.cloudstack.api.response.UserResponse;
-
-import com.cloud.user.Account;
-import com.cloud.user.User;
-
-@APICommand(name = "registerUserKeys",
-            responseObject = RegisterUserKeyResponse.class,
-            description = "This command allows a user to register for the developer API, returning a secret key and an API key. This request is made through the integration API port, so it is a privileged command and must be made on behalf of a user. It is up to the implementer just how the username and password are entered, and then how that translates to an integration API request. Both secret key and API key should be returned to the user",
-            requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
-public class RegisterUserKeyCmd extends BaseCmd {
-
-
-    /////////////////////////////////////////////////////
-    //////////////// API parameters /////////////////////
-    /////////////////////////////////////////////////////
-
-    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, required = true, description = "User id")
-    private Long id;
-
-    /////////////////////////////////////////////////////
-    /////////////////// Accessors ///////////////////////
-    /////////////////////////////////////////////////////
-
-    public Long getId() {
-        return id;
-    }
-
-    public void setId(Long id) {
-        this.id = id;
-    }
-
-    /////////////////////////////////////////////////////
-    /////////////// API Implementation///////////////////
-    /////////////////////////////////////////////////////
-
-    @Override
-    public long getEntityOwnerId() {
-        User user = _entityMgr.findById(User.class, getId());
-        if (user != null) {
-            return user.getAccountId();
-        }
-
-        return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
-    }
-
-    @Override
-    public Long getApiResourceId() {
-        return id;
-    }
-
-    @Override
-    public ApiCommandResourceType getApiResourceType() {
-        return ApiCommandResourceType.User;
-    }
-
-    @Override
-    public void execute() {
-        String[] keys = _accountService.createApiKeyAndSecretKey(this);
-        RegisterUserKeyResponse response = new RegisterUserKeyResponse();
-        if (keys != null) {
-            response.setApiKey(keys[0]);
-            response.setSecretKey(keys[1]);
-        }
-        response.setObjectName("userkeys");
-        response.setResponseName(getCommandName());
-        this.setResponseObject(response);
-    }
-}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/RegisterUserKeysCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/RegisterUserKeysCmd.java
new file mode 100644
index 00000000000..11d7c1d2ffa
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/RegisterUserKeysCmd.java
@@ -0,0 +1,209 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.user;
+
+import com.cloud.event.EventTypes;
+import com.cloud.user.Account;
+import com.cloud.user.User;
+import org.apache.cloudstack.acl.Rule;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.commons.lang3.StringUtils;
+
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.UserResponse;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+@APICommand(name = "registerUserKeys",
+            responseObject = ApiKeyPairResponse.class,
+            description = "Registers an API key pair (API and secret keys) for a user.",
+            requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
+public class RegisterUserKeysCmd extends BaseAsyncCmd {
+    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = UserResponse.class, required = true, description = "ID of the user.")
+    private Long id;
+
+    @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "API key pair name.")
+    private String name;
+
+    @Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "API key pair description.")
+    private String description;
+
+    @Parameter(name = ApiConstants.START_DATE, type = CommandType.DATE, description = "Start date of the API key pair. " +
+            ApiConstants.PARAMETER_DESCRIPTION_START_DATE_POSSIBLE_FORMATS)
+    private Date startDate;
+
+    @Parameter(name = ApiConstants.END_DATE, type = CommandType.DATE, description = "Expiration date of the API key pair. " +
+            ApiConstants.PARAMETER_DESCRIPTION_END_DATE_POSSIBLE_FORMATS)
+    private Date endDate;
+
+    @Parameter(name = ApiConstants.RULES, type = CommandType.MAP, description = "The rules of the API key pair. If no rules are informed, " +
+            "defaults to allowing all account permissions. Otherwise, only the explicitly informed permissions for the key pair will be " +
+            "considered. Lower indexed rules take precedence over higher. Thus, in the following example: " +
+            "\"rules[0].rule=deleteUserKeys rules[0].permission=deny rules[1].rule=*UserKey* rules[1].permission=allow\", all rules matching " +
+            "the expression \"*UserKeys*\" will be allowed, except for \"deleteUserKeys\".")
+    private Map rules;
+
+    public void setUserId(Long userId) {
+        this.id = userId;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public Date getStartDate() {
+        return startDate;
+    }
+
+    public void setStartDate(Date startDate) {
+        this.startDate = startDate;
+    }
+
+    public Date getEndDate() {
+        return endDate;
+    }
+
+    public void setEndDate(Date endDate) {
+        this.endDate = endDate;
+    }
+
+    public void setRules(Map rules) {
+        this.rules = rules;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    public List<Map<String, Object>> getRules() {
+        List<Map<String, Object>> rulesDetails = new ArrayList<>();
+
+        if (rules == null) {
+            return rulesDetails;
+        }
+
+        for (Object ruleObject : rules.values()) {
+            HashMap<String, String> detail = (HashMap<String, String>) ruleObject;
+            Map<String, Object> ruleDetails = new HashMap<>();
+
+            String rule = detail.get(ApiConstants.RULE);
+            if (StringUtils.isEmpty(rule)) {
+                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Empty rule has been provided in the [rules] parameter.");
+            }
+
+            String permission = detail.get(ApiConstants.PERMISSION);
+            if (StringUtils.isEmpty(permission)) {
+                throw new ServerApiException(ApiErrorCode.PARAM_ERROR, String.format("Rule [%s] has no permission associated with it," +
+                        " please specify if it is either [allow] or [deny].", rule));
+            }
+            ruleDetails.put(ApiConstants.RULE, new Rule(rule));
+            ruleDetails.put(ApiConstants.PERMISSION, roleService.getRolePermission(permission));
+
+            String description = detail.get(ApiConstants.DESCRIPTION);
+            if (StringUtils.isNotEmpty(description)) {
+                ruleDetails.put(ApiConstants.DESCRIPTION, description);
+            }
+
+            rulesDetails.add(ruleDetails);
+        }
+        return rulesDetails;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        User user = _entityMgr.findById(User.class, getUserId());
+        List<Long> accessibleUsers = _queryService.searchForAccessibleUsers();
+        if (user != null && accessibleUsers.stream().anyMatch(u -> u == user.getId())) {
+            return user.getAccountId();
+        }
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    public Long getUserId() {
+        return id;
+    }
+
+    @Override
+    public Long getApiResourceId() {
+        User user = _entityMgr.findById(User.class, getUserId());
+        if (user != null) {
+            return user.getId();
+        }
+        return null;
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.User;
+    }
+
+    @Override
+    public void execute() {
+        ApiKeyPair apiKeyPair = _accountService.createApiKeyAndSecretKey(this);
+        ApiKeyPairResponse response = new ApiKeyPairResponse();
+        if (apiKeyPair != null) {
+            response = _responseGenerator.createKeyPairResponse(apiKeyPair);
+        }
+        response.setObjectName("userkeys");
+        response.setResponseName(getCommandName());
+        this.setResponseObject(response);
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_REGISTER_FOR_SECRET_API_KEY;
+    }
+
+    @Override
+    public String getEventDescription() {
+        String userUuid = getResourceUuid(ApiConstants.ID);
+        return String.format("Registering API keypair for user [%s].", userUuid == null ? id : userUuid);
+    }
+
+    @Override
+    public String getSyncObjType() {
+        return BaseAsyncCmd.user;
+    }
+
+    @Override
+    public Long getSyncObjId() {
+        return getUserId();
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java
index 628ddb96deb..3f5ce241502 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java
@@ -46,8 +46,8 @@ public class UpdateUserCmd extends BaseCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @Parameter(name = ApiConstants.USER_API_KEY, type = CommandType.STRING, description = "The API key for the user. Must be specified with userSecretKey")
-    private String apiKey;
+    @Parameter(name = ApiConstants.USER_API_KEY, type = CommandType.STRING, description = "Updates the latest API key of the user. Must be specified with usersecretkey")
+    private String userApiKey;
 
     @Parameter(name = ApiConstants.EMAIL, type = CommandType.STRING, description = "Email")
     private String email;
@@ -70,8 +70,8 @@ public class UpdateUserCmd extends BaseCmd {
     @Parameter(name = ApiConstants.CURRENT_PASSWORD, type = CommandType.STRING, description = "Current password that was being used by the user. You must inform the current password when updating the password.", acceptedOnAdminPort = false)
     private String currentPassword;
 
-    @Parameter(name = ApiConstants.USER_SECRET_KEY, type = CommandType.STRING, description = "The secret key for the user. Must be specified with userApiKey")
-    private String secretKey;
+    @Parameter(name = ApiConstants.USER_SECRET_KEY, type = CommandType.STRING, description = "Updates the latest secret key of the user. Must be specified with userapikey.")
+    private String userSecretKey;
 
     @Parameter(name = ApiConstants.API_KEY_ACCESS, type = CommandType.STRING, description = "Determines if Api key access for this user is enabled, disabled or inherits the value from its parent, the owning account", since = "4.20.1.0", authorized = {RoleType.Admin})
     private String apiKeyAccess;
@@ -99,7 +99,7 @@ public class UpdateUserCmd extends BaseCmd {
     /////////////////////////////////////////////////////
 
     public String getApiKey() {
-        return apiKey;
+        return userApiKey;
     }
 
     public String getEmail() {
@@ -127,7 +127,7 @@ public class UpdateUserCmd extends BaseCmd {
     }
 
     public String getSecretKey() {
-        return secretKey;
+        return userSecretKey;
     }
 
     public String getApiKeyAccess() {
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CloneVPCOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CloneVPCOfferingCmd.java
new file mode 100644
index 00000000000..2148ff5c2d4
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CloneVPCOfferingCmd.java
@@ -0,0 +1,109 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.vpc;
+
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.network.vpc.VpcOffering;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.VpcOfferingResponse;
+
+import java.util.List;
+
+@APICommand(name = "cloneVPCOffering",
+        description = "Clones an existing VPC offering. All parameters are copied from the source offering unless explicitly overridden. " +
+                "Use 'addServices' and 'dropServices' to modify the service list without respecifying everything.",
+        responseObject = VpcOfferingResponse.class,
+        requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = false,
+        since = "4.23.0")
+public class CloneVPCOfferingCmd extends CreateVPCOfferingCmd {
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.SOURCE_OFFERING_ID,
+            type = BaseCmd.CommandType.UUID,
+            entityType = VpcOfferingResponse.class,
+            required = true,
+            description = "The ID of the source VPC offering to clone from")
+    private Long sourceOfferingId;
+
+    @Parameter(name = "addservices",
+            type = CommandType.LIST,
+            collectionType = CommandType.STRING,
+            description = "Services to add to the cloned offering (in addition to source offering services). " +
+                    "If specified along with 'supportedservices', this parameter is ignored.")
+    private List<String> addServices;
+
+    @Parameter(name = "dropservices",
+            type = CommandType.LIST,
+            collectionType = CommandType.STRING,
+            description = "Services to remove from the cloned offering (that exist in source offering). " +
+                    "If specified along with 'supportedservices', this parameter is ignored.")
+    private List<String> dropServices;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getSourceOfferingId() {
+        return sourceOfferingId;
+    }
+
+    public List<String> getAddServices() {
+        return addServices;
+    }
+
+    public List<String> getDropServices() {
+        return dropServices;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void create() throws ResourceAllocationException {
+        // Set a temporary entity ID (source offering ID) to prevent NullPointerException
+        // in ApiServer.queueCommand(). This will be updated in execute() with the actual
+        // cloned offering ID.
+        if (sourceOfferingId != null) {
+            setEntityId(sourceOfferingId);
+        }
+    }
+
+    @Override
+    public void execute() {
+        VpcOffering result = _vpcProvSvc.cloneVPCOffering(this);
+        if (result != null) {
+            setEntityId(result.getId());
+            setEntityUuid(result.getUuid());
+
+            VpcOfferingResponse response = _responseGenerator.createVpcOfferingResponse(result);
+            response.setResponseName(getCommandName());
+            this.setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to clone VPC offering");
+        }
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java
index 6b425bc10d2..2b934a60da7 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/vpc/CreateVPCOfferingCmd.java
@@ -28,7 +28,6 @@ import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.network.Network;
 import com.cloud.network.VirtualRouterProvider;
 import com.cloud.offering.NetworkOffering;
@@ -161,6 +160,12 @@ public class CreateVPCOfferingCmd extends BaseAsyncCreateCmd {
             description = "the routing mode for the VPC offering. Supported types are: Static or Dynamic.")
     private String routingMode;
 
+    @Parameter(name = ApiConstants.CONSERVE_MODE, type = CommandType.BOOLEAN,
+            since = "4.23.0",
+            description = "True if the VPC offering is IP conserve mode enabled, allowing public IPs to be used across multiple VPC tiers. Default value is false")
+    private Boolean conserveMode;
+
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -179,9 +184,7 @@ public class CreateVPCOfferingCmd extends BaseAsyncCreateCmd {
     }
 
     public List<String> getSupportedServices() {
-        if (!isExternalNetworkProvider() && CollectionUtils.isEmpty(supportedServices)) {
-            throw new InvalidParameterValueException("Supported services needs to be provided");
-        }
+        // For external network providers, auto-populate services based on network mode
         if (isExternalNetworkProvider()) {
             supportedServices = new ArrayList<>(List.of(
                     Dhcp.getName(),
@@ -311,6 +314,10 @@ public class CreateVPCOfferingCmd extends BaseAsyncCreateCmd {
         return routingMode;
     }
 
+    public boolean isConserveMode() {
+        return BooleanUtils.toBoolean(conserveMode);
+    }
+
     @Override
     public void create() throws ResourceAllocationException {
         VpcOffering vpcOff = _vpcProvSvc.createVpcOffering(this);
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
index 056807b9b53..2bc5fc2ee68 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java
@@ -54,7 +54,6 @@ import com.cloud.vm.VirtualMachine;
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements PortForwardingRule {
 
-
     // ///////////////////////////////////////////////////
     // ////////////// API parameters /////////////////////
     // ///////////////////////////////////////////////////
@@ -278,13 +277,7 @@ public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements P
     @Override
     public long getNetworkId() {
         IpAddress ip = _entityMgr.findById(IpAddress.class, getIpAddressId());
-        Long ntwkId = null;
-
-        if (ip.getAssociatedWithNetworkId() != null) {
-            ntwkId = ip.getAssociatedWithNetworkId();
-        } else {
-            ntwkId = networkId;
-        }
+        Long ntwkId = _networkService.getPreferredNetworkIdForPublicIpRuleAssignment(ip, networkId);
         if (ntwkId == null) {
             throw new InvalidParameterValueException("Unable to create port forwarding rule for the ipAddress id=" + ipAddressId +
                     " as ip is not associated with any network and no networkId is passed in");
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
index 6d8d356cea4..cc7cd2382b7 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java
@@ -23,6 +23,8 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
+import com.cloud.network.Network;
+import com.cloud.utils.Pair;
 import com.cloud.utils.exception.CloudRuntimeException;
 
 import org.apache.cloudstack.api.APICommand;
@@ -72,7 +74,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
 
     @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID_IP,
             type = CommandType.MAP,
-            description = "VM ID and IP map, vmidipmap[0].vmid=1 vmidipmap[0].vmip=10.1.1.75",
+            description = "VM ID and IP map, vmidipmap[0].vmid=1 vmidipmap[0].vmip=10.1.1.75. (Optional, for VPC Conserve Mode) Pass vmnetworkid. Example: vmidipmap[0].vmnetworkid=NETWORK_TIER_UUID",
             since = "4.4")
     private Map vmIdIpMap;
 
@@ -116,8 +118,9 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
     }
 
 
-    public Map<Long, List<String>> getVmIdIpListMap() {
-        Map<Long, List<String>> vmIdIpsMap = new HashMap<Long, List<String>>();
+    public Pair<Map<Long, List<String>>, Map<Long, Long>> getVmIdIpListMapAndVmIdNetworkMap() {
+        Map<Long, List<String>> vmIdIpsMap = new HashMap<>();
+        Map<Long, Long> vmIdNetworkMap = new HashMap<>();
         if (vmIdIpMap != null && !vmIdIpMap.isEmpty()) {
             Collection idIpsCollection = vmIdIpMap.values();
             Iterator iter = idIpsCollection.iterator();
@@ -125,6 +128,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
                 HashMap<String, String> idIpsMap = (HashMap<String, String>)iter.next();
                 String vmId = idIpsMap.get("vmid");
                 String vmIp = idIpsMap.get("vmip");
+                String vmNetworkUuid = idIpsMap.get("vmnetworkid");
 
                 VirtualMachine lbvm = _entityMgr.findByUuid(VirtualMachine.class, vmId);
                 if (lbvm == null) {
@@ -145,25 +149,35 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd {
                     ipsList = new ArrayList<String>();
                 }
                 ipsList.add(vmIp);
+
+                if (vmNetworkUuid != null) {
+                    Network vmNetwork = _entityMgr.findByUuid(Network.class, vmNetworkUuid);
+                    if (vmNetwork == null) {
+                        throw new InvalidParameterValueException("Unable to find Network ID: " + vmNetworkUuid);
+                    }
+                    vmIdNetworkMap.put(longVmId, vmNetwork.getId());
+                }
                 vmIdIpsMap.put(longVmId, ipsList);
 
             }
         }
 
-        return vmIdIpsMap;
+        return new Pair<>(vmIdIpsMap, vmIdNetworkMap);
     }
 
     @Override
     public void execute() {
         CallContext.current().setEventDetails("Load balancer ID: " + getResourceUuid(ApiConstants.ID) + " Instances IDs: " + StringUtils.join(getVirtualMachineIds(), ","));
 
-        Map<Long, List<String>> vmIdIpsMap = getVmIdIpListMap();
+        Pair<Map<Long, List<String>>, Map<Long, Long>> mapsPair = getVmIdIpListMapAndVmIdNetworkMap();
+        Map<Long, List<String>> vmIdIpsMap = mapsPair.first();
+        Map<Long, Long> vmIdNetworkMap = mapsPair.second();
         boolean result = false;
 
         try {
-            result = _lbService.assignToLoadBalancer(getLoadBalancerId(), virtualMachineIds, vmIdIpsMap, false);
+            result = _lbService.assignToLoadBalancer(getLoadBalancerId(), virtualMachineIds, vmIdIpsMap, vmIdNetworkMap, false);
         }catch (CloudRuntimeException ex) {
-            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to assign load balancer rule");
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to assign load balancer rule due to: " + ex.getMessage());
         }
 
         if (result) {
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/ApiKeyPairResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/ApiKeyPairResponse.java
new file mode 100644
index 00000000000..350d71b3788
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/response/ApiKeyPairResponse.java
@@ -0,0 +1,285 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.response;
+
+import com.cloud.user.ApiKeyPairState;
+import com.google.gson.annotations.SerializedName;
+
+import java.util.Date;
+import java.util.List;
+
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.api.ApiConstants;
+
+import com.cloud.serializer.Param;
+import org.apache.cloudstack.api.BaseResponseWithAnnotations;
+import org.apache.cloudstack.api.EntityReference;
+
+@EntityReference(value = ApiKeyPair.class)
+public class ApiKeyPairResponse extends BaseResponseWithAnnotations {
+    @SerializedName(ApiConstants.NAME)
+    @Param(description = "Name of the API key pair")
+    private String name;
+
+    @SerializedName(ApiConstants.API_KEY)
+    @Param(description = "The API key of the registered user.", isSensitive = true)
+    private String userApiKey;
+
+    @SerializedName(ApiConstants.SECRET_KEY)
+    @Param(description = "The secret key of the registered user.", isSensitive = true)
+    private String userSecretKey;
+
+    @SerializedName(ApiConstants.USER_ID)
+    @Param(description = "ID of the user that owns the keypair.")
+    private String userId;
+
+    @SerializedName(ApiConstants.USERNAME)
+    @Param(description = "Username of the keypair's owner.")
+    private String username;
+
+    @SerializedName(ApiConstants.ID)
+    @Param(description = "ID of the API key pair.", isSensitive = true)
+    private String id;
+
+    @SerializedName(ApiConstants.DESCRIPTION)
+    @Param(description = "API key pair description.")
+    private String description;
+
+    @SerializedName(ApiConstants.START_DATE)
+    @Param(description = "API key pair start date.")
+    private Date startDate;
+
+    @SerializedName(ApiConstants.END_DATE)
+    @Param(description = "API key pair expiration date.")
+    private Date endDate;
+
+    @SerializedName(ApiConstants.CREATED)
+    @Param(description = "API key pair creation timestamp.")
+    private Date created;
+
+    @SerializedName(ApiConstants.ACCOUNT_TYPE)
+    @Param(description = "Account type.")
+    private String accountType;
+
+    @SerializedName(ApiConstants.ACCOUNT_ID)
+    @Param(description = "Account ID.")
+    private String accountId;
+
+    @SerializedName(ApiConstants.ACCOUNT_NAME)
+    @Param(description = "Account name.")
+    private String accountName;
+
+    @SerializedName(ApiConstants.ROLE_ID)
+    @Param(description = "ID of the role.")
+    private String roleId;
+
+    @SerializedName(ApiConstants.ROLE_TYPE)
+    @Param(description = "Type of the role (Admin, ResourceAdmin, DomainAdmin, User).")
+    private String roleType;
+
+    @SerializedName(ApiConstants.ROLE_NAME)
+    @Param(description = "Name of the role.")
+    private String roleName;
+
+    @SerializedName(ApiConstants.PERMISSIONS)
+    @Param(description = "Permissions of the API key pair.")
+    private List<BaseRolePermissionResponse> permissions;
+
+    @SerializedName(ApiConstants.DOMAIN_ID)
+    @Param(description = "ID of the domain which the account belongs to.")
+    private String domainId;
+
+    @SerializedName(ApiConstants.DOMAIN)
+    @Param(description = "Name of the domain which the account belongs to.")
+    private String domainName;
+
+    @SerializedName(ApiConstants.DOMAIN_PATH)
+    @Param(description = "Path of the domain which the account belongs to.")
+    private String domainPath;
+
+    @SerializedName(ApiConstants.STATE)
+    @Param(description = "State of the API key pair.")
+    private ApiKeyPairState state;
+
+    public String getApiKey() {
+        return userApiKey;
+    }
+
+    public void setApiKey(String apiKey) {
+        this.userApiKey = apiKey;
+    }
+
+    public String getSecretKey() {
+        return userSecretKey;
+    }
+
+    public void setSecretKey(String secretKey) {
+        this.userSecretKey = secretKey;
+    }
+
+    public String getId() {
+        return this.id;
+    }
+
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    public String getUserId() {
+        return userId;
+    }
+
+    public void setUserId(String userId) {
+        this.userId = userId;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public Date getStartDate() {
+        return startDate;
+    }
+
+    public void setStartDate(Date startDate) {
+        this.startDate = startDate;
+    }
+
+    public Date getEndDate() {
+        return endDate;
+    }
+
+    public void setEndDate(Date endDate) {
+        this.endDate = endDate;
+    }
+
+    public Date getCreated() {
+        return created;
+    }
+
+    public void setCreated(Date created) {
+        this.created = created;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getAccountType() {
+        return accountType;
+    }
+
+    public void setAccountType(String accountType) {
+        this.accountType = accountType;
+    }
+
+    public String getRoleId() {
+        return roleId;
+    }
+
+    public void setRoleId(String roleId) {
+        this.roleId = roleId;
+    }
+
+    public String getAccountId() {
+        return accountId;
+    }
+
+    public void setAccountId(String accountId) {
+        this.accountId = accountId;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public void setUsername(String username) {
+        this.username = username;
+    }
+
+    public String getRoleType() {
+        return roleType;
+    }
+
+    public void setRoleType(String roleType) {
+        this.roleType = roleType;
+    }
+
+    public String getRoleName() {
+        return roleName;
+    }
+
+    public void setRoleName(String roleName) {
+        this.roleName = roleName;
+    }
+
+    public String getDomainId() {
+        return domainId;
+    }
+
+    public void setDomainId(String domainId) {
+        this.domainId = domainId;
+    }
+
+    public String getDomainName() {
+        return domainName;
+    }
+
+    public void setDomainName(String domainName) {
+        this.domainName = domainName;
+    }
+
+    public String getDomainPath() {
+        return domainPath;
+    }
+
+    public void setDomainPath(String domainPath) {
+        this.domainPath = domainPath;
+    }
+
+    public ApiKeyPairState getState() {
+        return state;
+    }
+
+    public void setState(ApiKeyPairState state) {
+        this.state = state;
+    }
+
+    public String getAccountName() {
+        return accountName;
+    }
+
+    public void setAccountName(String accountName) {
+        this.accountName = accountName;
+    }
+
+    public List<BaseRolePermissionResponse> getPermissions() {
+        return permissions;
+    }
+
+    public void setPermissions(List<BaseRolePermissionResponse> permissions) {
+        this.permissions = permissions;
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/FirewallRuleResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/FirewallRuleResponse.java
index 48097e51d99..aed56a36908 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/FirewallRuleResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/FirewallRuleResponse.java
@@ -94,6 +94,10 @@ public class FirewallRuleResponse extends BaseResponse {
     @Param(description = "The ID of the guest Network the port forwarding rule belongs to")
     private String networkId;
 
+    @SerializedName(ApiConstants.NETWORK_NAME)
+    @Param(description = "The Name of the guest Network the port forwarding rule belongs to")
+    private String networkName;
+
     @SerializedName(ApiConstants.FOR_DISPLAY)
     @Param(description = "Is firewall for display to the regular user", since = "4.4", authorized = {RoleType.Admin})
     private Boolean forDisplay;
@@ -223,6 +227,10 @@ public class FirewallRuleResponse extends BaseResponse {
         this.networkId = networkId;
     }
 
+    public void setNetworkName(String networkName) {
+        this.networkName = networkName;
+    }
+
     public void setForDisplay(Boolean forDisplay) {
         this.forDisplay = forDisplay;
     }
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/UserResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/UserResponse.java
index 3b1c1a10885..61b025b206e 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/UserResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/UserResponse.java
@@ -95,12 +95,12 @@ public class UserResponse extends BaseResponse implements SetResourceIconRespons
     @Param(description = "The timezone user was created in")
     private String timezone;
 
-    @SerializedName("apikey")
+    @SerializedName(ApiConstants.API_KEY)
     @Param(description = "The API key of the user", isSensitive = true)
     private String apiKey;
 
     @Deprecated
-    @SerializedName("secretkey")
+    @SerializedName(ApiConstants.SECRET_KEY)
     @Param(description = "The secret key of the user", isSensitive = true)
     private String secretKey;
 
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/VpcOfferingResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/VpcOfferingResponse.java
index a0516e660e4..2e821dae52d 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/VpcOfferingResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/VpcOfferingResponse.java
@@ -102,6 +102,10 @@ public class VpcOfferingResponse extends BaseResponse {
     @Param(description = "The routing mode for the network offering, supported types are Static or Dynamic.")
     private String routingMode;
 
+    @SerializedName(ApiConstants.CONSERVE_MODE)
+    @Param(description = "True if the VPC offering is IP conserve mode enabled, allowing public IP services to be used across multiple VPC tiers.", since = "4.23.0")
+    private Boolean conserveMode;
+
     public void setId(String id) {
         this.id = id;
     }
@@ -201,4 +205,12 @@ public class VpcOfferingResponse extends BaseResponse {
     public void setRoutingMode(String routingMode) {
         this.routingMode = routingMode;
     }
+
+    public Boolean getConserveMode() {
+        return conserveMode;
+    }
+
+    public void setConserveMode(Boolean conserveMode) {
+        this.conserveMode = conserveMode;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java
index 2648ba83678..acfabb11350 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/VpcResponse.java
@@ -73,6 +73,10 @@ public class VpcResponse extends BaseResponseWithAnnotations implements Controll
     @Param(description = "VPC offering name the VPC is created from", since = "4.13.2")
     private String vpcOfferingName;
 
+    @SerializedName(ApiConstants.VPC_OFFERING_CONSERVE_MODE)
+    @Param(description = "true if VPC offering is ip conserve mode enabled", since = "4.23")
+    private Boolean vpcOfferingConserveMode;
+
     @SerializedName(ApiConstants.CREATED)
     @Param(description = "The date this VPC was created")
     private Date created;
@@ -197,6 +201,10 @@ public class VpcResponse extends BaseResponseWithAnnotations implements Controll
         this.displayText = displayText;
     }
 
+    public void setVpcOfferingConserveMode(Boolean vpcOfferingConserveMode) {
+        this.vpcOfferingConserveMode = vpcOfferingConserveMode;
+    }
+
     public void setCreated(final Date created) {
         this.created = created;
     }
diff --git a/api/src/main/java/org/apache/cloudstack/backup/BackupManager.java b/api/src/main/java/org/apache/cloudstack/backup/BackupManager.java
index e83db3a2589..6c0121a3e4d 100644
--- a/api/src/main/java/org/apache/cloudstack/backup/BackupManager.java
+++ b/api/src/main/java/org/apache/cloudstack/backup/BackupManager.java
@@ -22,6 +22,7 @@ import java.util.Map;
 
 import com.cloud.capacity.Capacity;
 import com.cloud.exception.ResourceAllocationException;
+import org.apache.cloudstack.api.command.admin.backup.CloneBackupOfferingCmd;
 import org.apache.cloudstack.api.command.admin.backup.ImportBackupOfferingCmd;
 import org.apache.cloudstack.api.command.admin.backup.UpdateBackupOfferingCmd;
 import org.apache.cloudstack.api.command.user.backup.CreateBackupCmd;
@@ -140,6 +141,12 @@ public interface BackupManager extends BackupService, Configurable, PluggableSer
 
     List<Long> getBackupOfferingDomains(final Long offeringId);
 
+    /**
+     * Clone an existing backup offering with updated values
+     * @param cmd clone backup offering cmd
+     */
+    BackupOffering cloneBackupOffering(final CloneBackupOfferingCmd cmd);
+
     /**
      * List backup offerings
      * @param ListBackupOfferingsCmd API cmd
diff --git a/api/src/main/java/org/apache/cloudstack/query/QueryService.java b/api/src/main/java/org/apache/cloudstack/query/QueryService.java
index 5cd67ffe9ba..5b053aafd84 100644
--- a/api/src/main/java/org/apache/cloudstack/query/QueryService.java
+++ b/api/src/main/java/org/apache/cloudstack/query/QueryService.java
@@ -145,6 +145,8 @@ public interface QueryService {
 
     ListResponse<UserResponse> searchForUsers(Long domainId, boolean recursive) throws PermissionDeniedException;
 
+    List<Long> searchForAccessibleUsers();
+
     ListResponse<EventResponse> searchForEvents(ListEventsCmd cmd);
 
     ListResponse<ResourceTagResponse> listTags(ListTagsCmd cmd);
diff --git a/api/src/test/java/org/apache/cloudstack/acl/RuleTest.java b/api/src/test/java/org/apache/cloudstack/acl/RuleTest.java
index 79e6127d29a..b99ba48c66d 100644
--- a/api/src/test/java/org/apache/cloudstack/acl/RuleTest.java
+++ b/api/src/test/java/org/apache/cloudstack/acl/RuleTest.java
@@ -17,13 +17,46 @@
 package org.apache.cloudstack.acl;
 
 import com.cloud.exception.InvalidParameterValueException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Pattern;
+import org.apache.cloudstack.api.APICommand;
 import org.junit.Assert;
+import org.junit.BeforeClass;
 import org.junit.Test;
 
 import java.util.Arrays;
+import org.springframework.beans.factory.annotation.AnnotatedBeanDefinition;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
+import org.springframework.core.type.filter.AnnotationTypeFilter;
 
 public class RuleTest {
 
+    private static List<String> apiNames;
+    private static List<Rule> apiRules;
+    private static ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider(false);
+
+    @BeforeClass
+    public static void setup() {
+        provider.addIncludeFilter(new AnnotationTypeFilter(APICommand.class));
+        Set<BeanDefinition> beanDefinitions = provider.findCandidateComponents("org.apache.cloudstack.api");
+
+        apiNames = new ArrayList<>();
+        apiRules = new ArrayList<>();
+        for(BeanDefinition bd : beanDefinitions) {
+            if (bd instanceof AnnotatedBeanDefinition) {
+                Map<String, Object> annotationAttributeMap = ((AnnotatedBeanDefinition) bd).getMetadata()
+                        .getAnnotationAttributes(APICommand.class.getName());
+                String apiName = annotationAttributeMap.get("name").toString();
+                apiNames.add(apiName);
+                apiRules.add(new Rule(apiName));
+            }
+        }
+    }
+
     @Test
     public void testToString() throws Exception {
         Rule rule = new Rule("someString");
@@ -31,21 +64,89 @@ public class RuleTest {
     }
 
     @Test
-    public void testMatchesEmpty() throws Exception {
-        Rule rule = new Rule("someString");
-        Assert.assertFalse(rule.matches(""));
+    public void ruleMatchesTestNoMatchesOnEmptyString() throws Exception {
+        String testCmd = "";
+        List<String> matches = new ArrayList<>();
+        for (Rule rule : apiRules) {
+            if (rule.matches(testCmd)) {
+                matches.add(rule.getRuleString());
+            }
+        }
+
+        Assert.assertEquals(matches.size(), 0);
     }
 
     @Test
-    public void testMatchesNull() throws Exception {
-        Rule rule = new Rule("someString");
-        Assert.assertFalse(rule.matches(null));
+    public void ruleMatchesTestNoMatchesOnNull() throws Exception {
+        List<String> matches = new ArrayList<>();
+        for (Rule rule : apiRules) {
+            if (rule.matches(null)) {
+                matches.add(rule.getRuleString());
+            }
+        }
+
+        Assert.assertTrue(matches.isEmpty());
     }
 
     @Test
-    public void testMatchesSpace() throws Exception {
-        Rule rule = new Rule("someString");
-        Assert.assertFalse(rule.matches(" "));
+    public void ruleMatchesTestNoMatchesOnSpaceCharacter() throws Exception {
+        String testCmd = " ";
+        List<String> matches = new ArrayList<>();
+        for (Rule rule : apiRules) {
+            if (rule.matches(testCmd)) {
+                matches.add(rule.getRuleString());
+            }
+        }
+
+        Assert.assertTrue(matches.isEmpty());
+    }
+
+    @Test
+    public void ruleMatchesTestWildCardOnEndWorksAsNormalRegex() {
+        setup();
+        Pattern regexPattern = Pattern.compile("list.*");
+        Rule acsRegexRule = new Rule("list*");
+
+        List<String> nonMatches = new ArrayList<>();
+        for (String apiName : apiNames) {
+            if (acsRegexRule.matches(apiName) != regexPattern.matcher(apiName).matches()) {
+                nonMatches.add(apiName);
+            }
+        }
+
+        Assert.assertTrue(nonMatches.isEmpty());
+    }
+
+    @Test
+    public void ruleMatchesTestWildCardOnMiddleWorksAsNormalRegex() {
+        setup();
+        Pattern regexPattern = Pattern.compile("list.*s");
+        Rule acsRegexRule = new Rule("list*s");
+
+        List<String> nonMatches = new ArrayList<>();
+        for (String apiName : apiNames) {
+            if (acsRegexRule.matches(apiName) != regexPattern.matcher(apiName).matches()) {
+                nonMatches.add(apiName);
+            }
+        }
+
+        Assert.assertTrue(nonMatches.isEmpty());
+    }
+
+    @Test
+    public void ruleMatchesTestWildCardOnStartWorksAsNormalRegex() {
+        setup();
+        Pattern regexPattern = Pattern.compile(".*User");
+        Rule acsRegexRule = new Rule("*User");
+
+        List<String> nonMatches = new ArrayList<>();
+        for (String apiName : apiNames) {
+            if (acsRegexRule.matches(apiName) != regexPattern.matcher(apiName).matches()) {
+                nonMatches.add(apiName);
+            }
+        }
+
+        Assert.assertTrue(nonMatches.isEmpty());
     }
 
     @Test
@@ -73,7 +174,25 @@ public class RuleTest {
     }
 
     @Test
-    public void testValidateRuleWithValidData() throws Exception {
+    public void ruleMatchesTestWildcardOnRuleAndCommand() throws Exception {
+        Rule rule = new Rule("*");
+        Assert.assertTrue(rule.matches("list*"));
+    }
+
+    @Test
+    public void ruleMatchesTestWildcardOnRuleAndCommandNotAllowed() throws Exception {
+        Rule rule = new Rule("list*");
+        Assert.assertFalse(rule.matches("*"));
+    }
+
+    @Test
+    public void ruleMatchesTestWithMultipleStars() throws Exception {
+        Rule rule = new Rule("list***");
+        Assert.assertFalse(rule.matches("api"));
+    }
+
+    @Test
+    public void testRuleToStringWithValidStrings() throws Exception {
         for (String rule : Arrays.asList("a", "1", "someApi", "someApi321", "123SomeApi",
                 "prefix*", "*middle*", "*Suffix",
                 "*", "**", "f***", "m0nk3yMa**g1c*")) {
@@ -82,7 +201,7 @@ public class RuleTest {
     }
 
     @Test
-    public void testValidateRuleWithInvalidData() throws Exception {
+    public void testRuleToStringWithInvalidStrings() throws Exception {
         for (String rule : Arrays.asList(null, "", " ", "  ", "\n", "\t", "\r", "\"", "\'",
                 "^someApi$", "^someApi", "some$", "some-Api;", "some,Api",
                 "^", "$", "^$", ".*", "\\w+", "r**l3rd0@Kr3", "j@s1n|+|0ȷ",
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/backup/CloneBackupOfferingCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/backup/CloneBackupOfferingCmdTest.java
new file mode 100644
index 00000000000..a1412d5a76a
--- /dev/null
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/backup/CloneBackupOfferingCmdTest.java
@@ -0,0 +1,301 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.backup;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.ResponseGenerator;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.BackupOfferingResponse;
+import org.apache.cloudstack.backup.BackupManager;
+import org.apache.cloudstack.backup.BackupOffering;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class CloneBackupOfferingCmdTest {
+
+    private CloneBackupOfferingCmd cloneBackupOfferingCmd;
+
+    @Mock
+    private BackupManager backupManager;
+
+    @Mock
+    private ResponseGenerator responseGenerator;
+
+    @Mock
+    private BackupOffering mockBackupOffering;
+
+    @Mock
+    private BackupOfferingResponse mockBackupOfferingResponse;
+
+    @Before
+    public void setUp() {
+        cloneBackupOfferingCmd = new CloneBackupOfferingCmd();
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "backupManager", backupManager);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "_responseGenerator", responseGenerator);
+    }
+
+    @Test
+    public void testGetSourceOfferingId() {
+        Long sourceOfferingId = 999L;
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", sourceOfferingId);
+        assertEquals(sourceOfferingId, cloneBackupOfferingCmd.getSourceOfferingId());
+    }
+
+    @Test
+    public void testGetName() {
+        String name = "ClonedBackupOffering";
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "name", name);
+        assertEquals(name, cloneBackupOfferingCmd.getName());
+    }
+
+    @Test
+    public void testGetDescription() {
+        String description = "Cloned Backup Offering Description";
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "description", description);
+        assertEquals(description, cloneBackupOfferingCmd.getDescription());
+    }
+
+    @Test
+    public void testGetZoneId() {
+        Long zoneId = 123L;
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "zoneId", zoneId);
+        assertEquals(zoneId, cloneBackupOfferingCmd.getZoneId());
+    }
+
+    @Test
+    public void testGetExternalId() {
+        String externalId = "external-backup-123";
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "externalId", externalId);
+        assertEquals(externalId, cloneBackupOfferingCmd.getExternalId());
+    }
+
+    @Test
+    public void testGetAllowUserDrivenBackups() {
+        Boolean allowUserDrivenBackups = true;
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "userDrivenBackups", allowUserDrivenBackups);
+        assertEquals(allowUserDrivenBackups, cloneBackupOfferingCmd.getUserDrivenBackups());
+    }
+
+    @Test
+    public void testAllowUserDrivenBackupsDefaultTrue() {
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "userDrivenBackups", null);
+        Boolean result = cloneBackupOfferingCmd.getUserDrivenBackups();
+        assertTrue(result == null || result);
+    }
+
+    @Test
+    public void testAllowUserDrivenBackupsFalse() {
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "userDrivenBackups", false);
+        assertEquals(Boolean.FALSE, cloneBackupOfferingCmd.getUserDrivenBackups());
+    }
+
+    @Test
+    public void testExecuteSuccess() throws Exception {
+        Long sourceOfferingId = 999L;
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", sourceOfferingId);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "name", "ClonedBackupOffering");
+
+        when(backupManager.cloneBackupOffering(any(CloneBackupOfferingCmd.class))).thenReturn(mockBackupOffering);
+        when(responseGenerator.createBackupOfferingResponse(mockBackupOffering)).thenReturn(mockBackupOfferingResponse);
+
+        cloneBackupOfferingCmd.execute();
+
+        assertNotNull(cloneBackupOfferingCmd.getResponseObject());
+        assertEquals(mockBackupOfferingResponse, cloneBackupOfferingCmd.getResponseObject());
+    }
+
+    @Test
+    public void testExecuteFailure() throws Exception {
+        Long sourceOfferingId = 999L;
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(backupManager.cloneBackupOffering(any(CloneBackupOfferingCmd.class))).thenReturn(null);
+
+        try {
+            cloneBackupOfferingCmd.execute();
+            fail("Expected ServerApiException to be thrown");
+        } catch (ServerApiException e) {
+            assertEquals(ApiErrorCode.INTERNAL_ERROR, e.getErrorCode());
+            assertEquals("Failed to clone backup offering", e.getMessage());
+        }
+    }
+
+    @Test
+    public void testExecuteWithInvalidParameterException() throws Exception {
+        Long sourceOfferingId = 999L;
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(backupManager.cloneBackupOffering(any(CloneBackupOfferingCmd.class)))
+            .thenThrow(new InvalidParameterValueException("Invalid source offering ID"));
+
+        try {
+            cloneBackupOfferingCmd.execute();
+            fail("Expected ServerApiException to be thrown");
+        } catch (ServerApiException e) {
+            assertEquals(ApiErrorCode.PARAM_ERROR, e.getErrorCode());
+            assertEquals("Invalid source offering ID", e.getMessage());
+        }
+    }
+
+    @Test
+    public void testExecuteWithCloudRuntimeException() throws Exception {
+        Long sourceOfferingId = 999L;
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(backupManager.cloneBackupOffering(any(CloneBackupOfferingCmd.class)))
+            .thenThrow(new CloudRuntimeException("Runtime error during clone"));
+
+        try {
+            cloneBackupOfferingCmd.execute();
+            fail("Expected ServerApiException to be thrown");
+        } catch (ServerApiException e) {
+            assertEquals(ApiErrorCode.INTERNAL_ERROR, e.getErrorCode());
+            assertEquals("Runtime error during clone", e.getMessage());
+        }
+    }
+
+    @Test
+    public void testExecuteSuccessWithAllParameters() throws Exception {
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", 999L);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "name", "ClonedBackupOffering");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "description", "Test Description");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "zoneId", 123L);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "externalId", "ext-123");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "userDrivenBackups", true);
+
+        when(backupManager.cloneBackupOffering(any(CloneBackupOfferingCmd.class))).thenReturn(mockBackupOffering);
+        when(responseGenerator.createBackupOfferingResponse(mockBackupOffering)).thenReturn(mockBackupOfferingResponse);
+
+        cloneBackupOfferingCmd.execute();
+
+        assertNotNull(cloneBackupOfferingCmd.getResponseObject());
+        assertEquals(mockBackupOfferingResponse, cloneBackupOfferingCmd.getResponseObject());
+    }
+
+    @Test
+    public void testCloneWithAllParameters() {
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", 999L);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "name", "ClonedBackupOffering");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "description", "Cloned backup offering for testing");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "zoneId", 123L);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "externalId", "external-backup-123");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "userDrivenBackups", true);
+
+        assertEquals(Long.valueOf(999L), cloneBackupOfferingCmd.getSourceOfferingId());
+        assertEquals("ClonedBackupOffering", cloneBackupOfferingCmd.getName());
+        assertEquals("Cloned backup offering for testing", cloneBackupOfferingCmd.getDescription());
+        assertEquals(Long.valueOf(123L), cloneBackupOfferingCmd.getZoneId());
+        assertEquals("external-backup-123", cloneBackupOfferingCmd.getExternalId());
+        assertEquals(Boolean.TRUE, cloneBackupOfferingCmd.getUserDrivenBackups());
+    }
+
+    @Test
+    public void testCloneWithMinimalParameters() {
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", 999L);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "name", "ClonedBackupOffering");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "description", "Description");
+
+        assertEquals(Long.valueOf(999L), cloneBackupOfferingCmd.getSourceOfferingId());
+        assertEquals("ClonedBackupOffering", cloneBackupOfferingCmd.getName());
+        assertEquals("Description", cloneBackupOfferingCmd.getDescription());
+
+        assertNull(cloneBackupOfferingCmd.getZoneId());
+        assertNull(cloneBackupOfferingCmd.getExternalId());
+    }
+
+    @Test
+    public void testSourceOfferingIdNullByDefault() {
+        assertNull(cloneBackupOfferingCmd.getSourceOfferingId());
+    }
+
+    @Test
+    public void testNameNullByDefault() {
+        assertNull(cloneBackupOfferingCmd.getName());
+    }
+
+    @Test
+    public void testDescriptionNullByDefault() {
+        assertNull(cloneBackupOfferingCmd.getDescription());
+    }
+
+    @Test
+    public void testZoneIdNullByDefault() {
+        assertNull(cloneBackupOfferingCmd.getZoneId());
+    }
+
+    @Test
+    public void testExternalIdNullByDefault() {
+        assertNull(cloneBackupOfferingCmd.getExternalId());
+    }
+
+    @Test
+    public void testCloneBackupOfferingInheritingZone() {
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", 999L);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "name", "ClonedBackupOffering");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "description", "Clone with inherited zone");
+
+        assertEquals(Long.valueOf(999L), cloneBackupOfferingCmd.getSourceOfferingId());
+        assertNull(cloneBackupOfferingCmd.getZoneId());
+    }
+
+    @Test
+    public void testCloneBackupOfferingInheritingExternalId() {
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", 999L);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "name", "ClonedBackupOffering");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "description", "Clone with inherited external ID");
+
+        assertEquals(Long.valueOf(999L), cloneBackupOfferingCmd.getSourceOfferingId());
+        assertNull(cloneBackupOfferingCmd.getExternalId());
+    }
+
+    @Test
+    public void testCloneBackupOfferingOverridingZone() {
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", 999L);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "name", "ClonedBackupOffering");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "description", "Clone with new zone");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "zoneId", 456L);
+
+        assertEquals(Long.valueOf(999L), cloneBackupOfferingCmd.getSourceOfferingId());
+        assertEquals(Long.valueOf(456L), cloneBackupOfferingCmd.getZoneId());
+    }
+
+    @Test
+    public void testCloneBackupOfferingDisallowUserDrivenBackups() {
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "sourceOfferingId", 999L);
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "name", "ClonedBackupOffering");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "description", "Clone without user-driven backups");
+        ReflectionTestUtils.setField(cloneBackupOfferingCmd, "userDrivenBackups", false);
+
+        assertEquals(Boolean.FALSE, cloneBackupOfferingCmd.getUserDrivenBackups());
+    }
+}
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CloneNetworkOfferingCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CloneNetworkOfferingCmdTest.java
new file mode 100644
index 00000000000..096395b1359
--- /dev/null
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/network/CloneNetworkOfferingCmdTest.java
@@ -0,0 +1,324 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.network;
+
+import com.cloud.offering.NetworkOffering;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.ResponseGenerator;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.NetworkOfferingResponse;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class CloneNetworkOfferingCmdTest {
+
+    private CloneNetworkOfferingCmd cloneNetworkOfferingCmd;
+
+    @Mock
+    private com.cloud.configuration.ConfigurationService configService;
+
+    @Mock
+    private ResponseGenerator responseGenerator;
+
+    @Mock
+    private NetworkOffering mockNetworkOffering;
+
+    @Mock
+    private NetworkOfferingResponse mockNetworkOfferingResponse;
+
+    @Before
+    public void setUp() {
+        cloneNetworkOfferingCmd = new CloneNetworkOfferingCmd();
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "_configService", configService);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "_responseGenerator", responseGenerator);
+    }
+
+    @Test
+    public void testGetSourceOfferingId() {
+        Long sourceOfferingId = 123L;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "sourceOfferingId", sourceOfferingId);
+        assertEquals(sourceOfferingId, cloneNetworkOfferingCmd.getSourceOfferingId());
+    }
+
+    @Test
+    public void testGetAddServices() {
+        List<String> addServices = Arrays.asList("Dhcp", "Dns");
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "addServices", addServices);
+        assertEquals(addServices, cloneNetworkOfferingCmd.getAddServices());
+    }
+
+    @Test
+    public void testGetDropServices() {
+        List<String> dropServices = Arrays.asList("Firewall", "Vpn");
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "dropServices", dropServices);
+        assertEquals(dropServices, cloneNetworkOfferingCmd.getDropServices());
+    }
+
+    @Test
+    public void testGetGuestIpType() {
+        String guestIpType = "Isolated";
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "guestIptype", guestIpType);
+        assertEquals(guestIpType, cloneNetworkOfferingCmd.getGuestIpType());
+    }
+
+    @Test
+    public void testGetTraffictype() {
+        String trafficType = "GUEST";
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "traffictype", trafficType);
+        assertEquals(trafficType, cloneNetworkOfferingCmd.getTraffictype());
+    }
+
+    @Test
+    public void testGetName() {
+        String name = "ClonedNetworkOffering";
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "networkOfferingName", name);
+        assertEquals(name, cloneNetworkOfferingCmd.getNetworkOfferingName());
+    }
+
+    @Test
+    public void testGetDisplayText() {
+        String displayText = "Cloned Network Offering Display Text";
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "displayText", displayText);
+        assertEquals(displayText, cloneNetworkOfferingCmd.getDisplayText());
+    }
+
+    @Test
+    public void testGetDisplayTextDefaultsToName() {
+        String name = "ClonedNetworkOffering";
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "networkOfferingName", name);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "displayText", null);
+        assertEquals(name, cloneNetworkOfferingCmd.getDisplayText());
+    }
+
+    @Test
+    public void testGetAvailability() {
+        String availability = "Required";
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "availability", availability);
+        assertEquals(availability, cloneNetworkOfferingCmd.getAvailability());
+    }
+
+    @Test
+    public void testGetTags() {
+        String tags = "tag1,tag2,tag3";
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "tags", tags);
+        assertEquals(tags, cloneNetworkOfferingCmd.getTags());
+    }
+
+    @Test
+    public void testExecuteSuccess() {
+        Long sourceOfferingId = 123L;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(configService.cloneNetworkOffering(any(CloneNetworkOfferingCmd.class))).thenReturn(mockNetworkOffering);
+        when(responseGenerator.createNetworkOfferingResponse(mockNetworkOffering)).thenReturn(mockNetworkOfferingResponse);
+
+        cloneNetworkOfferingCmd.execute();
+
+        assertNotNull(cloneNetworkOfferingCmd.getResponseObject());
+        assertEquals(mockNetworkOfferingResponse, cloneNetworkOfferingCmd.getResponseObject());
+    }
+
+    @Test(expected = ServerApiException.class)
+    public void testExecuteFailure() {
+        Long sourceOfferingId = 123L;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(configService.cloneNetworkOffering(any(CloneNetworkOfferingCmd.class))).thenReturn(null);
+
+        try {
+            cloneNetworkOfferingCmd.execute();
+            fail("Expected ServerApiException to be thrown");
+        } catch (ServerApiException e) {
+            assertEquals(ApiErrorCode.INTERNAL_ERROR, e.getErrorCode());
+            assertEquals("Failed to clone network offering", e.getMessage());
+            throw e;
+        }
+    }
+
+    @Test
+    public void testGetConserveMode() {
+        Boolean conserveMode = true;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "conserveMode", conserveMode);
+        assertEquals(conserveMode, cloneNetworkOfferingCmd.getConserveMode());
+    }
+
+    @Test
+    public void testGetSpecifyVlan() {
+        Boolean specifyVlan = false;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "specifyVlan", specifyVlan);
+        assertEquals(specifyVlan, cloneNetworkOfferingCmd.getSpecifyVlan());
+    }
+
+    @Test
+    public void testGetSpecifyIpRanges() {
+        Boolean specifyIpRanges = true;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "specifyIpRanges", specifyIpRanges);
+        assertEquals(specifyIpRanges, cloneNetworkOfferingCmd.getSpecifyIpRanges());
+    }
+
+    @Test
+    public void testGetIsPersistent() {
+        Boolean isPersistent = true;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "isPersistent", isPersistent);
+        assertEquals(isPersistent, cloneNetworkOfferingCmd.getIsPersistent());
+    }
+
+    @Test
+    public void testGetEgressDefaultPolicy() {
+        Boolean egressDefaultPolicy = false;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "egressDefaultPolicy", egressDefaultPolicy);
+        assertEquals(egressDefaultPolicy, cloneNetworkOfferingCmd.getEgressDefaultPolicy());
+    }
+
+    @Test
+    public void testGetServiceOfferingId() {
+        Long serviceOfferingId = 456L;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "serviceOfferingId", serviceOfferingId);
+        assertEquals(serviceOfferingId, cloneNetworkOfferingCmd.getServiceOfferingId());
+    }
+
+    @Test
+    public void testGetForVpc() {
+        Boolean forVpc = true;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "forVpc", forVpc);
+        assertEquals(forVpc, cloneNetworkOfferingCmd.getForVpc());
+    }
+
+    @Test
+    public void testGetMaxConnections() {
+        Integer maxConnections = 1000;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "maxConnections", maxConnections);
+        assertEquals(maxConnections, cloneNetworkOfferingCmd.getMaxconnections());
+    }
+
+    @Test
+    public void testGetNetworkRate() {
+        Integer networkRate = 200;
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "networkRate", networkRate);
+        assertEquals(networkRate, cloneNetworkOfferingCmd.getNetworkRate());
+    }
+
+    @Test
+    public void testGetInternetProtocol() {
+        String internetProtocol = "ipv4";
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "internetProtocol", internetProtocol);
+        assertEquals(internetProtocol, cloneNetworkOfferingCmd.getInternetProtocol());
+    }
+
+    @Test
+    public void testAddServicesNullByDefault() {
+        assertNull(cloneNetworkOfferingCmd.getAddServices());
+    }
+
+    @Test
+    public void testDropServicesNullByDefault() {
+        assertNull(cloneNetworkOfferingCmd.getDropServices());
+    }
+
+    @Test
+    public void testSupportedServicesParameter() {
+        List<String> supportedServices = Arrays.asList("Dhcp", "Dns", "SourceNat");
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "supportedServices", supportedServices);
+        assertEquals(supportedServices, cloneNetworkOfferingCmd.getSupportedServices());
+    }
+
+    @Test
+    public void testServiceProviderListParameter() {
+        Map<String, HashMap<String, String>> serviceProviderList = new HashMap<>();
+
+        HashMap<String, String> dhcpProvider = new HashMap<>();
+        dhcpProvider.put("service", "Dhcp");
+        dhcpProvider.put("provider", "VirtualRouter");
+
+        HashMap<String, String> dnsProvider = new HashMap<>();
+        dnsProvider.put("service", "Dns");
+        dnsProvider.put("provider", "VirtualRouter");
+
+        serviceProviderList.put("0", dhcpProvider);
+        serviceProviderList.put("1", dnsProvider);
+
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "serviceProviderList", serviceProviderList);
+
+        Map<String, List<String>> result = cloneNetworkOfferingCmd.getServiceProviders();
+        assertNotNull(result);
+        assertEquals(2, result.size());
+        assertNotNull(result.get("Dhcp"));
+        assertNotNull(result.get("Dns"));
+        assertEquals("VirtualRouter", result.get("Dhcp").get(0));
+        assertEquals("VirtualRouter", result.get("Dns").get(0));
+    }
+
+    @Test
+    public void testCloneWithAllParameters() {
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "sourceOfferingId", 123L);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "networkOfferingName", "ClonedOffering");
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "displayText", "Cloned Offering Display");
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "availability", "Optional");
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "guestIptype", "Isolated");
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "traffictype", "GUEST");
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "conserveMode", true);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "specifyVlan", false);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "isPersistent", true);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "egressDefaultPolicy", false);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "networkRate", 200);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "serviceOfferingId", 456L);
+
+        assertEquals(Long.valueOf(123L), cloneNetworkOfferingCmd.getSourceOfferingId());
+        assertEquals("ClonedOffering", cloneNetworkOfferingCmd.getNetworkOfferingName());
+        assertEquals("Cloned Offering Display", cloneNetworkOfferingCmd.getDisplayText());
+        assertEquals("Optional", cloneNetworkOfferingCmd.getAvailability());
+        assertEquals("Isolated", cloneNetworkOfferingCmd.getGuestIpType());
+        assertEquals("GUEST", cloneNetworkOfferingCmd.getTraffictype());
+        assertEquals(Boolean.TRUE, cloneNetworkOfferingCmd.getConserveMode());
+        assertEquals(Boolean.FALSE, cloneNetworkOfferingCmd.getSpecifyVlan());
+        assertEquals(Boolean.TRUE, cloneNetworkOfferingCmd.getIsPersistent());
+        assertEquals(Boolean.FALSE, cloneNetworkOfferingCmd.getEgressDefaultPolicy());
+        assertEquals(Integer.valueOf(200), cloneNetworkOfferingCmd.getNetworkRate());
+        assertEquals(Long.valueOf(456L), cloneNetworkOfferingCmd.getServiceOfferingId());
+    }
+
+    @Test
+    public void testCloneWithAddAndDropServices() {
+        List<String> addServices = Arrays.asList("StaticNat", "PortForwarding");
+        List<String> dropServices = Arrays.asList("Vpn");
+
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "sourceOfferingId", 123L);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "addServices", addServices);
+        ReflectionTestUtils.setField(cloneNetworkOfferingCmd, "dropServices", dropServices);
+
+        assertEquals(addServices, cloneNetworkOfferingCmd.getAddServices());
+        assertEquals(dropServices, cloneNetworkOfferingCmd.getDropServices());
+    }
+}
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/offering/CloneServiceOfferingCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/offering/CloneServiceOfferingCmdTest.java
new file mode 100644
index 00000000000..b4f7c55bd1f
--- /dev/null
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/offering/CloneServiceOfferingCmdTest.java
@@ -0,0 +1,669 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.offering;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.offering.ServiceOffering;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.ResponseGenerator;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.ServiceOfferingResponse;
+import org.apache.cloudstack.vm.lease.VMLeaseManager;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class CloneServiceOfferingCmdTest {
+
+    private CloneServiceOfferingCmd cloneServiceOfferingCmd;
+
+    @Mock
+    private com.cloud.configuration.ConfigurationService configService;
+
+    @Mock
+    private ResponseGenerator responseGenerator;
+
+    @Mock
+    private ServiceOffering mockServiceOffering;
+
+    @Mock
+    private ServiceOfferingResponse mockServiceOfferingResponse;
+
+    @Before
+    public void setUp() {
+        cloneServiceOfferingCmd = new CloneServiceOfferingCmd();
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "_configService", configService);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "_responseGenerator", responseGenerator);
+    }
+
+    @Test
+    public void testGetSourceOfferingId() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+        assertEquals(sourceOfferingId, cloneServiceOfferingCmd.getSourceOfferingId());
+    }
+
+    @Test
+    public void testGetServiceOfferingName() {
+        String name = "ClonedServiceOffering";
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", name);
+        assertEquals(name, cloneServiceOfferingCmd.getServiceOfferingName());
+    }
+
+    @Test
+    public void testGetDisplayText() {
+        String displayText = "Cloned Service Offering Display Text";
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "displayText", displayText);
+        assertEquals(displayText, cloneServiceOfferingCmd.getDisplayText());
+    }
+
+    @Test
+    public void testGetDisplayTextDefaultsToName() {
+        String name = "ClonedServiceOffering";
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", name);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "displayText", null);
+        assertEquals(name, cloneServiceOfferingCmd.getDisplayText());
+    }
+
+    @Test
+    public void testGetCpu() {
+        Integer cpu = 4;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "cpuNumber", cpu);
+        assertEquals(cpu, cloneServiceOfferingCmd.getCpuNumber());
+    }
+
+    @Test
+    public void testGetMemory() {
+        Integer memory = 8192;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "memory", memory);
+        assertEquals(memory, cloneServiceOfferingCmd.getMemory());
+    }
+
+    @Test
+    public void testGetCpuSpeed() {
+        Integer cpuSpeed = 2000;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "cpuSpeed", cpuSpeed);
+        assertEquals(cpuSpeed, cloneServiceOfferingCmd.getCpuSpeed());
+    }
+
+    @Test
+    public void testGetOfferHa() {
+        Boolean offerHa = true;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "offerHa", offerHa);
+        assertEquals(offerHa, cloneServiceOfferingCmd.isOfferHa());
+    }
+
+    @Test
+    public void testGetLimitCpuUse() {
+        Boolean limitCpuUse = false;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "limitCpuUse", limitCpuUse);
+        assertEquals(limitCpuUse, cloneServiceOfferingCmd.isLimitCpuUse());
+    }
+
+    @Test
+    public void testGetVolatileVm() {
+        Boolean volatileVm = true;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "isVolatile", volatileVm);
+        assertEquals(volatileVm, cloneServiceOfferingCmd.isVolatileVm());
+    }
+
+    @Test
+    public void testGetStorageType() {
+        String storageType = "local";
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "storageType", storageType);
+        assertEquals(storageType, cloneServiceOfferingCmd.getStorageType());
+    }
+
+    @Test
+    public void testGetTags() {
+        String tags = "ssd,premium,dedicated";
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "tags", tags);
+        assertEquals(tags, cloneServiceOfferingCmd.getTags());
+    }
+
+    @Test
+    public void testGetHostTag() {
+        String hostTag = "gpu-enabled";
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "hostTag", hostTag);
+        assertEquals(hostTag, cloneServiceOfferingCmd.getHostTag());
+    }
+
+    @Test
+    public void testGetNetworkRate() {
+        Integer networkRate = 1000;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "networkRate", networkRate);
+        assertEquals(networkRate, cloneServiceOfferingCmd.getNetworkRate());
+    }
+
+    @Test
+    public void testGetDeploymentPlanner() {
+        String deploymentPlanner = "UserDispersingPlanner";
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "deploymentPlanner", deploymentPlanner);
+        assertEquals(deploymentPlanner, cloneServiceOfferingCmd.getDeploymentPlanner());
+    }
+
+    @Test
+    public void testGetDetails() {
+        Map<String, HashMap<String, String>> details = new HashMap<>();
+
+        HashMap<String, String> cpuOvercommit = new HashMap<>();
+        cpuOvercommit.put("key", "cpuOvercommitRatio");
+        cpuOvercommit.put("value", "2.0");
+
+        HashMap<String, String> memoryOvercommit = new HashMap<>();
+        memoryOvercommit.put("key", "memoryOvercommitRatio");
+        memoryOvercommit.put("value", "1.5");
+
+        details.put("0", cpuOvercommit);
+        details.put("1", memoryOvercommit);
+
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "details", details);
+
+        Map<String, String> result = cloneServiceOfferingCmd.getDetails();
+        assertNotNull(result);
+        assertEquals("2.0", result.get("cpuOvercommitRatio"));
+        assertEquals("1.5", result.get("memoryOvercommitRatio"));
+    }
+
+    @Test
+    public void testIsPurgeResources() {
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "purgeResources", true);
+        assertTrue(cloneServiceOfferingCmd.isPurgeResources());
+    }
+
+    @Test
+    public void testIsPurgeResourcesFalse() {
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "purgeResources", false);
+        assertFalse(cloneServiceOfferingCmd.isPurgeResources());
+    }
+
+    @Test
+    public void testIsPurgeResourcesDefaultFalse() {
+        assertFalse(cloneServiceOfferingCmd.isPurgeResources());
+    }
+
+    @Test
+    public void testGetLeaseDuration() {
+        Integer leaseDuration = 3600;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "leaseDuration", leaseDuration);
+        assertEquals(leaseDuration, cloneServiceOfferingCmd.getLeaseDuration());
+    }
+
+    @Test
+    public void testGetLeaseExpiryAction() {
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "leaseExpiryAction", "stop");
+        assertEquals(VMLeaseManager.ExpiryAction.STOP, cloneServiceOfferingCmd.getLeaseExpiryAction());
+
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "leaseExpiryAction", "DESTROY");
+        assertEquals(VMLeaseManager.ExpiryAction.DESTROY, cloneServiceOfferingCmd.getLeaseExpiryAction());
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testGetLeaseExpiryActionInvalidValue() {
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "leaseExpiryAction", "InvalidAction");
+        cloneServiceOfferingCmd.getLeaseExpiryAction();
+    }
+
+    @Test
+    public void testGetVgpuProfileId() {
+        Long vgpuProfileId = 10L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "vgpuProfileId", vgpuProfileId);
+        assertEquals(vgpuProfileId, cloneServiceOfferingCmd.getVgpuProfileId());
+    }
+
+    @Test
+    public void testGetGpuCount() {
+        Integer gpuCount = 2;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "gpuCount", gpuCount);
+        assertEquals(gpuCount, cloneServiceOfferingCmd.getGpuCount());
+    }
+
+    @Test
+    public void testGetGpuDisplay() {
+        Boolean gpuDisplay = true;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "gpuDisplay", gpuDisplay);
+        assertEquals(gpuDisplay, cloneServiceOfferingCmd.getGpuDisplay());
+    }
+
+    @Test
+    public void testExecuteSuccess() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(mockServiceOffering);
+        when(responseGenerator.createServiceOfferingResponse(mockServiceOffering)).thenReturn(mockServiceOfferingResponse);
+
+        cloneServiceOfferingCmd.execute();
+
+        assertNotNull(cloneServiceOfferingCmd.getResponseObject());
+        assertEquals(mockServiceOfferingResponse, cloneServiceOfferingCmd.getResponseObject());
+    }
+
+    @Test
+    public void testExecuteFailure() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(null);
+
+        try {
+            cloneServiceOfferingCmd.execute();
+            fail("Expected ServerApiException to be thrown");
+        } catch (ServerApiException e) {
+            assertEquals(ApiErrorCode.INTERNAL_ERROR, e.getErrorCode());
+            assertEquals("Failed to clone service offering", e.getMessage());
+        }
+    }
+
+    @Test
+    public void testExecuteSuccessWithAllParameters() {
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", 555L);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", "ClonedOffering");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "displayText", "Test Display");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "cpuNumber", 4);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "memory", 8192);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "cpuSpeed", 2000);
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(mockServiceOffering);
+        when(responseGenerator.createServiceOfferingResponse(mockServiceOffering)).thenReturn(mockServiceOfferingResponse);
+
+        cloneServiceOfferingCmd.execute();
+
+        assertNotNull(cloneServiceOfferingCmd.getResponseObject());
+        assertEquals(mockServiceOfferingResponse, cloneServiceOfferingCmd.getResponseObject());
+    }
+
+    @Test
+    public void testExecuteWithInvalidParameterException() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class)))
+            .thenThrow(new InvalidParameterValueException("Invalid source offering ID"));
+
+        try {
+            cloneServiceOfferingCmd.execute();
+            fail("Expected ServerApiException to be thrown");
+        } catch (ServerApiException e) {
+            assertEquals(ApiErrorCode.PARAM_ERROR, e.getErrorCode());
+            assertEquals("Invalid source offering ID", e.getMessage());
+        }
+    }
+
+    @Test
+    public void testExecuteWithCloudRuntimeException() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class)))
+            .thenThrow(new com.cloud.utils.exception.CloudRuntimeException("Runtime error during clone"));
+
+        try {
+            cloneServiceOfferingCmd.execute();
+            fail("Expected ServerApiException to be thrown");
+        } catch (ServerApiException e) {
+            assertEquals(ApiErrorCode.INTERNAL_ERROR, e.getErrorCode());
+            assertEquals("Runtime error during clone", e.getMessage());
+        }
+    }
+
+    @Test
+    public void testExecuteResponseNameIsSet() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(mockServiceOffering);
+        when(responseGenerator.createServiceOfferingResponse(mockServiceOffering)).thenReturn(mockServiceOfferingResponse);
+
+        cloneServiceOfferingCmd.execute();
+
+        assertNotNull(cloneServiceOfferingCmd.getResponseObject());
+        // Verify that response name would be set (actual verification would require accessing the response object's internal state)
+    }
+
+    @Test
+    public void testCloneWithAllParameters() {
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", 555L);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", "ClonedServiceOffering");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "displayText", "Cloned Service Offering");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "cpuNumber", 4);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "memory", 8192);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "cpuSpeed", 2000);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "offerHa", true);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "limitCpuUse", false);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "isVolatile", true);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "storageType", "local");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "tags", "premium");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "hostTag", "gpu-enabled");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "networkRate", 1000);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "deploymentPlanner", "UserDispersingPlanner");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "purgeResources", true);
+
+        assertEquals(Long.valueOf(555L), cloneServiceOfferingCmd.getSourceOfferingId());
+        assertEquals("ClonedServiceOffering", cloneServiceOfferingCmd.getServiceOfferingName());
+        assertEquals("Cloned Service Offering", cloneServiceOfferingCmd.getDisplayText());
+        assertEquals(Integer.valueOf(4), cloneServiceOfferingCmd.getCpuNumber());
+        assertEquals(Integer.valueOf(8192), cloneServiceOfferingCmd.getMemory());
+        assertEquals(Integer.valueOf(2000), cloneServiceOfferingCmd.getCpuSpeed());
+        assertEquals(Boolean.TRUE, cloneServiceOfferingCmd.isOfferHa());
+        assertEquals(Boolean.FALSE, cloneServiceOfferingCmd.isLimitCpuUse());
+        assertEquals(Boolean.TRUE, cloneServiceOfferingCmd.isVolatileVm());
+        assertEquals("local", cloneServiceOfferingCmd.getStorageType());
+        assertEquals("premium", cloneServiceOfferingCmd.getTags());
+        assertEquals("gpu-enabled", cloneServiceOfferingCmd.getHostTag());
+        assertEquals(Integer.valueOf(1000), cloneServiceOfferingCmd.getNetworkRate());
+        assertEquals("UserDispersingPlanner", cloneServiceOfferingCmd.getDeploymentPlanner());
+        assertTrue(cloneServiceOfferingCmd.isPurgeResources());
+    }
+
+    @Test
+    public void testSourceOfferingIdNullByDefault() {
+        assertNull(cloneServiceOfferingCmd.getSourceOfferingId());
+    }
+
+    @Test
+    public void testGetSystemVmType() {
+        String systemVmType = "domainrouter";
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "systemVmType", systemVmType);
+        assertEquals(systemVmType, cloneServiceOfferingCmd.getSystemVmType());
+    }
+
+    @Test
+    public void testGetBytesReadRate() {
+        Long bytesReadRate = 1000000L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "bytesReadRate", bytesReadRate);
+        assertEquals(bytesReadRate, cloneServiceOfferingCmd.getBytesReadRate());
+    }
+
+    @Test
+    public void testGetBytesWriteRate() {
+        Long bytesWriteRate = 1000000L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "bytesWriteRate", bytesWriteRate);
+        assertEquals(bytesWriteRate, cloneServiceOfferingCmd.getBytesWriteRate());
+    }
+
+    @Test
+    public void testGetIopsReadRate() {
+        Long iopsReadRate = 1000L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "iopsReadRate", iopsReadRate);
+        assertEquals(iopsReadRate, cloneServiceOfferingCmd.getIopsReadRate());
+    }
+
+    @Test
+    public void testGetIopsWriteRate() {
+        Long iopsWriteRate = 1000L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "iopsWriteRate", iopsWriteRate);
+        assertEquals(iopsWriteRate, cloneServiceOfferingCmd.getIopsWriteRate());
+    }
+
+    @Test
+    public void testCloneServiceOfferingWithGpuProfile() {
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", 555L);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", "GPU-Offering-Clone");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "vgpuProfileId", 10L);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "gpuCount", 2);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "gpuDisplay", true);
+
+        assertEquals(Long.valueOf(10L), cloneServiceOfferingCmd.getVgpuProfileId());
+        assertEquals(Integer.valueOf(2), cloneServiceOfferingCmd.getGpuCount());
+        assertTrue(cloneServiceOfferingCmd.getGpuDisplay());
+    }
+
+    @Test
+    public void testCloneServiceOfferingWithLease() {
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", 555L);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", "Lease-Offering-Clone");
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "leaseDuration", 7200);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "leaseExpiryAction", "destroy");
+
+        assertEquals(Integer.valueOf(7200), cloneServiceOfferingCmd.getLeaseDuration());
+        assertEquals(VMLeaseManager.ExpiryAction.DESTROY, cloneServiceOfferingCmd.getLeaseExpiryAction());
+    }
+
+    @Test
+    public void testExecuteWithOverriddenParameters() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        String newName = "ClonedOffering-Override";
+        String newDisplayText = "Overridden Display Text";
+        Integer newCpu = 8;
+        Integer newMemory = 16384;
+        Integer newCpuSpeed = 3000;
+        Boolean newOfferHa = true;
+        Boolean newLimitCpuUse = true;
+        String newStorageType = "shared";
+        String newTags = "premium,gpu";
+        String newHostTag = "compute-optimized";
+        Integer newNetworkRate = 2000;
+        String newDeploymentPlanner = "FirstFitPlanner";
+        Boolean newPurgeResources = true;
+
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", newName);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "displayText", newDisplayText);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "cpuNumber", newCpu);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "memory", newMemory);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "cpuSpeed", newCpuSpeed);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "offerHa", newOfferHa);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "limitCpuUse", newLimitCpuUse);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "storageType", newStorageType);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "tags", newTags);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "hostTag", newHostTag);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "networkRate", newNetworkRate);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "deploymentPlanner", newDeploymentPlanner);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "purgeResources", newPurgeResources);
+
+        assertEquals(sourceOfferingId, cloneServiceOfferingCmd.getSourceOfferingId());
+        assertEquals(newName, cloneServiceOfferingCmd.getServiceOfferingName());
+        assertEquals(newDisplayText, cloneServiceOfferingCmd.getDisplayText());
+        assertEquals(newCpu, cloneServiceOfferingCmd.getCpuNumber());
+        assertEquals(newMemory, cloneServiceOfferingCmd.getMemory());
+        assertEquals(newCpuSpeed, cloneServiceOfferingCmd.getCpuSpeed());
+        assertEquals(newOfferHa, cloneServiceOfferingCmd.isOfferHa());
+        assertEquals(newLimitCpuUse, cloneServiceOfferingCmd.isLimitCpuUse());
+        assertEquals(newStorageType, cloneServiceOfferingCmd.getStorageType());
+        assertEquals(newTags, cloneServiceOfferingCmd.getTags());
+        assertEquals(newHostTag, cloneServiceOfferingCmd.getHostTag());
+        assertEquals(newNetworkRate, cloneServiceOfferingCmd.getNetworkRate());
+        assertEquals(newDeploymentPlanner, cloneServiceOfferingCmd.getDeploymentPlanner());
+        assertTrue(cloneServiceOfferingCmd.isPurgeResources());
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(mockServiceOffering);
+        when(responseGenerator.createServiceOfferingResponse(mockServiceOffering)).thenReturn(mockServiceOfferingResponse);
+
+        cloneServiceOfferingCmd.execute();
+
+        assertNotNull(cloneServiceOfferingCmd.getResponseObject());
+        assertEquals(mockServiceOfferingResponse, cloneServiceOfferingCmd.getResponseObject());
+    }
+
+    @Test
+    public void testExecuteWithPartialOverrides() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        String newName = "PartialOverride";
+        Integer newCpu = 6;
+        Integer newMemory = 12288;
+
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", newName);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "cpuNumber", newCpu);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "memory", newMemory);
+
+        assertEquals(newName, cloneServiceOfferingCmd.getServiceOfferingName());
+        assertEquals(newCpu, cloneServiceOfferingCmd.getCpuNumber());
+        assertEquals(newMemory, cloneServiceOfferingCmd.getMemory());
+
+        assertNull(cloneServiceOfferingCmd.getCpuSpeed());
+        assertFalse(cloneServiceOfferingCmd.isOfferHa());
+        assertNull(cloneServiceOfferingCmd.getStorageType());
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(mockServiceOffering);
+        when(responseGenerator.createServiceOfferingResponse(mockServiceOffering)).thenReturn(mockServiceOfferingResponse);
+
+        cloneServiceOfferingCmd.execute();
+
+        assertNotNull(cloneServiceOfferingCmd.getResponseObject());
+        assertEquals(mockServiceOfferingResponse, cloneServiceOfferingCmd.getResponseObject());
+    }
+
+    @Test
+    public void testExecuteWithGpuOverrides() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        String newName = "GPU-Clone-Override";
+        Long vgpuProfileId = 15L;
+        Integer gpuCount = 4;
+        Boolean gpuDisplay = false;
+
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", newName);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "vgpuProfileId", vgpuProfileId);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "gpuCount", gpuCount);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "gpuDisplay", gpuDisplay);
+
+        assertEquals(newName, cloneServiceOfferingCmd.getServiceOfferingName());
+        assertEquals(vgpuProfileId, cloneServiceOfferingCmd.getVgpuProfileId());
+        assertEquals(gpuCount, cloneServiceOfferingCmd.getGpuCount());
+        assertEquals(gpuDisplay, cloneServiceOfferingCmd.getGpuDisplay());
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(mockServiceOffering);
+        when(responseGenerator.createServiceOfferingResponse(mockServiceOffering)).thenReturn(mockServiceOfferingResponse);
+
+        cloneServiceOfferingCmd.execute();
+
+        assertNotNull(cloneServiceOfferingCmd.getResponseObject());
+        assertEquals(mockServiceOfferingResponse, cloneServiceOfferingCmd.getResponseObject());
+    }
+
+    @Test
+    public void testExecuteWithLeaseOverrides() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        String newName = "Lease-Clone-Override";
+        Integer leaseDuration = 14400; // 4 hours
+        String leaseExpiryAction = "stop";
+
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", newName);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "leaseDuration", leaseDuration);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "leaseExpiryAction", leaseExpiryAction);
+
+        assertEquals(newName, cloneServiceOfferingCmd.getServiceOfferingName());
+        assertEquals(leaseDuration, cloneServiceOfferingCmd.getLeaseDuration());
+        assertEquals(VMLeaseManager.ExpiryAction.STOP, cloneServiceOfferingCmd.getLeaseExpiryAction());
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(mockServiceOffering);
+        when(responseGenerator.createServiceOfferingResponse(mockServiceOffering)).thenReturn(mockServiceOfferingResponse);
+
+        cloneServiceOfferingCmd.execute();
+
+        assertNotNull(cloneServiceOfferingCmd.getResponseObject());
+        assertEquals(mockServiceOfferingResponse, cloneServiceOfferingCmd.getResponseObject());
+    }
+
+    @Test
+    public void testExecuteWithStorageOverrides() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+        String newName = "Storage-Clone-Override";
+        Long bytesReadRate = 2000000L;
+        Long bytesWriteRate = 1500000L;
+        Long iopsReadRate = 2000L;
+        Long iopsWriteRate = 1500L;
+
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", newName);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "bytesReadRate", bytesReadRate);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "bytesWriteRate", bytesWriteRate);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "iopsReadRate", iopsReadRate);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "iopsWriteRate", iopsWriteRate);
+
+        assertEquals(newName, cloneServiceOfferingCmd.getServiceOfferingName());
+        assertEquals(bytesReadRate, cloneServiceOfferingCmd.getBytesReadRate());
+        assertEquals(bytesWriteRate, cloneServiceOfferingCmd.getBytesWriteRate());
+        assertEquals(iopsReadRate, cloneServiceOfferingCmd.getIopsReadRate());
+        assertEquals(iopsWriteRate, cloneServiceOfferingCmd.getIopsWriteRate());
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(mockServiceOffering);
+        when(responseGenerator.createServiceOfferingResponse(mockServiceOffering)).thenReturn(mockServiceOfferingResponse);
+
+        cloneServiceOfferingCmd.execute();
+
+        assertNotNull(cloneServiceOfferingCmd.getResponseObject());
+        assertEquals(mockServiceOfferingResponse, cloneServiceOfferingCmd.getResponseObject());
+    }
+
+    @Test
+    public void testExecuteWithDetailsOverride() {
+        Long sourceOfferingId = 555L;
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        String newName = "Details-Clone-Override";
+        Map<String, HashMap<String, String>> details = new HashMap<>();
+
+        HashMap<String, String> cpuOvercommit = new HashMap<>();
+        cpuOvercommit.put("key", "cpuOvercommitRatio");
+        cpuOvercommit.put("value", "3.0");
+
+        HashMap<String, String> memoryOvercommit = new HashMap<>();
+        memoryOvercommit.put("key", "memoryOvercommitRatio");
+        memoryOvercommit.put("value", "2.5");
+
+        HashMap<String, String> customDetail = new HashMap<>();
+        customDetail.put("key", "customParameter");
+        customDetail.put("value", "customValue");
+
+        details.put("0", cpuOvercommit);
+        details.put("1", memoryOvercommit);
+        details.put("2", customDetail);
+
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "serviceOfferingName", newName);
+        ReflectionTestUtils.setField(cloneServiceOfferingCmd, "details", details);
+
+        assertEquals(newName, cloneServiceOfferingCmd.getServiceOfferingName());
+        Map<String, String> result = cloneServiceOfferingCmd.getDetails();
+        assertNotNull(result);
+        assertEquals("3.0", result.get("cpuOvercommitRatio"));
+        assertEquals("2.5", result.get("memoryOvercommitRatio"));
+        assertEquals("customValue", result.get("customParameter"));
+
+        when(configService.cloneServiceOffering(any(CloneServiceOfferingCmd.class))).thenReturn(mockServiceOffering);
+        when(responseGenerator.createServiceOfferingResponse(mockServiceOffering)).thenReturn(mockServiceOfferingResponse);
+
+        cloneServiceOfferingCmd.execute();
+
+        assertNotNull(cloneServiceOfferingCmd.getResponseObject());
+        assertEquals(mockServiceOfferingResponse, cloneServiceOfferingCmd.getResponseObject());
+    }
+}
diff --git a/api/src/test/java/org/apache/cloudstack/api/command/admin/vpc/CloneVpcOfferingCmdTest.java b/api/src/test/java/org/apache/cloudstack/api/command/admin/vpc/CloneVpcOfferingCmdTest.java
new file mode 100644
index 00000000000..1e6d6c9e096
--- /dev/null
+++ b/api/src/test/java/org/apache/cloudstack/api/command/admin/vpc/CloneVpcOfferingCmdTest.java
@@ -0,0 +1,299 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.command.admin.vpc;
+
+import com.cloud.network.vpc.VpcOffering;
+import com.cloud.network.vpc.VpcProvisioningService;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.ResponseGenerator;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.VpcOfferingResponse;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class CloneVpcOfferingCmdTest {
+
+    private CloneVPCOfferingCmd cloneVpcOfferingCmd;
+
+    @Mock
+    private VpcProvisioningService vpcService;
+
+    @Mock
+    private ResponseGenerator responseGenerator;
+
+    @Mock
+    private VpcOffering mockVpcOffering;
+
+    @Mock
+    private VpcOfferingResponse mockVpcOfferingResponse;
+
+    @Before
+    public void setUp() {
+        cloneVpcOfferingCmd = new CloneVPCOfferingCmd();
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "_vpcProvSvc", vpcService);
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "_responseGenerator", responseGenerator);
+    }
+
+    @Test
+    public void testGetSourceOfferingId() {
+        Long sourceOfferingId = 789L;
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "sourceOfferingId", sourceOfferingId);
+        assertEquals(sourceOfferingId, cloneVpcOfferingCmd.getSourceOfferingId());
+    }
+
+    @Test
+    public void testGetName() {
+        String name = "ClonedVpcOffering";
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "vpcOfferingName", name);
+        assertEquals(name, cloneVpcOfferingCmd.getVpcOfferingName());
+    }
+
+    @Test
+    public void testGetDisplayText() {
+        String displayText = "Cloned VPC Offering Display Text";
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "displayText", displayText);
+        assertEquals(displayText, cloneVpcOfferingCmd.getDisplayText());
+    }
+
+    @Test
+    public void testGetDisplayTextDefaultsToName() {
+        String name = "ClonedVpcOffering";
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "vpcOfferingName", name);
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "displayText", null);
+        assertEquals(name, cloneVpcOfferingCmd.getDisplayText());
+    }
+
+    @Test
+    public void testGetServiceOfferingId() {
+        Long serviceOfferingId = 456L;
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "serviceOfferingId", serviceOfferingId);
+        assertEquals(serviceOfferingId, cloneVpcOfferingCmd.getServiceOfferingId());
+    }
+
+    @Test
+    public void testGetInternetProtocol() {
+        String internetProtocol = "dualstack";
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "internetProtocol", internetProtocol);
+        assertEquals(internetProtocol, cloneVpcOfferingCmd.getInternetProtocol());
+    }
+
+    @Test
+    public void testGetProvider() {
+        String provider = "NSX";
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "provider", provider);
+        assertEquals(provider, cloneVpcOfferingCmd.getProvider());
+    }
+
+    @Test
+    public void testGetNetworkMode() {
+        String networkMode = "ROUTED";
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "networkMode", networkMode);
+        assertEquals(networkMode, cloneVpcOfferingCmd.getNetworkMode());
+    }
+
+    @Test
+    public void testGetRoutingMode() {
+        String routingMode = "dynamic";
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "routingMode", routingMode);
+        assertEquals(routingMode, cloneVpcOfferingCmd.getRoutingMode());
+    }
+
+    @Test
+    public void testGetNsxSupportLb() {
+        Boolean nsxSupportLb = true;
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "nsxSupportsLbService", nsxSupportLb);
+        assertEquals(nsxSupportLb, cloneVpcOfferingCmd.getNsxSupportsLbService());
+    }
+
+    @Test
+    public void testGetSpecifyAsnumber() {
+        Boolean specifyAsnumber = false;
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "specifyAsNumber", specifyAsnumber);
+        assertEquals(specifyAsnumber, cloneVpcOfferingCmd.getSpecifyAsNumber());
+    }
+
+    @Test
+    public void testExecuteSuccess() {
+        Long sourceOfferingId = 789L;
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(vpcService.cloneVPCOffering(any(CloneVPCOfferingCmd.class))).thenReturn(mockVpcOffering);
+        when(responseGenerator.createVpcOfferingResponse(mockVpcOffering)).thenReturn(mockVpcOfferingResponse);
+
+        cloneVpcOfferingCmd.execute();
+
+        assertNotNull(cloneVpcOfferingCmd.getResponseObject());
+        assertEquals(mockVpcOfferingResponse, cloneVpcOfferingCmd.getResponseObject());
+    }
+
+    @Test(expected = ServerApiException.class)
+    public void testExecuteFailure() {
+        Long sourceOfferingId = 789L;
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "sourceOfferingId", sourceOfferingId);
+
+        when(vpcService.cloneVPCOffering(any(CloneVPCOfferingCmd.class))).thenReturn(null);
+
+        try {
+            cloneVpcOfferingCmd.execute();
+            fail("Expected ServerApiException to be thrown");
+        } catch (ServerApiException e) {
+            assertEquals(ApiErrorCode.INTERNAL_ERROR, e.getErrorCode());
+            assertEquals("Failed to clone VPC offering", e.getMessage());
+            throw e;
+        }
+    }
+
+    @Test
+    public void testGetSupportedServices() {
+        List<String> supportedServices = Arrays.asList("Dhcp", "Dns", "SourceNat", "NetworkACL");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "supportedServices", supportedServices);
+        assertEquals(supportedServices, cloneVpcOfferingCmd.getSupportedServices());
+    }
+
+    @Test
+    public void testGetServiceProviders() {
+        Map<String, HashMap<String, String>> serviceProviderList = new HashMap<>();
+
+        HashMap<String, String> dhcpProvider = new HashMap<>();
+        dhcpProvider.put("service", "Dhcp");
+        dhcpProvider.put("provider", "VpcVirtualRouter");
+
+        HashMap<String, String> dnsProvider = new HashMap<>();
+        dnsProvider.put("service", "Dns");
+        dnsProvider.put("provider", "VpcVirtualRouter");
+
+        HashMap<String, String> aclProvider = new HashMap<>();
+        aclProvider.put("service", "NetworkACL");
+        aclProvider.put("provider", "VpcVirtualRouter");
+
+        serviceProviderList.put("0", dhcpProvider);
+        serviceProviderList.put("1", dnsProvider);
+        serviceProviderList.put("2", aclProvider);
+
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "serviceProviderList", serviceProviderList);
+
+        Map<String, List<String>> result = cloneVpcOfferingCmd.getServiceProviders();
+        assertNotNull(result);
+        assertEquals(3, result.size());
+        assertNotNull(result.get("Dhcp"));
+        assertNotNull(result.get("Dns"));
+        assertNotNull(result.get("NetworkACL"));
+        assertEquals("VpcVirtualRouter", result.get("Dhcp").get(0));
+        assertEquals("VpcVirtualRouter", result.get("Dns").get(0));
+        assertEquals("VpcVirtualRouter", result.get("NetworkACL").get(0));
+    }
+
+    @Test
+    public void testGetEnable() {
+        Boolean enable = true;
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "enable", enable);
+        assertEquals(enable, cloneVpcOfferingCmd.getEnable());
+    }
+
+    @Test
+    public void testCloneWithAllParameters() {
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "sourceOfferingId", 789L);
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "vpcOfferingName", "ClonedVpcOffering");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "displayText", "Cloned VPC Offering");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "serviceOfferingId", 456L);
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "internetProtocol", "ipv4");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "provider", "NSX");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "networkMode", "NATTED");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "routingMode", "static");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "nsxSupportsLbService", true);
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "specifyAsNumber", false);
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "enable", true);
+
+        assertEquals(Long.valueOf(789L), cloneVpcOfferingCmd.getSourceOfferingId());
+        assertEquals("ClonedVpcOffering", cloneVpcOfferingCmd.getVpcOfferingName());
+        assertEquals("Cloned VPC Offering", cloneVpcOfferingCmd.getDisplayText());
+        assertEquals(Long.valueOf(456L), cloneVpcOfferingCmd.getServiceOfferingId());
+        assertEquals("ipv4", cloneVpcOfferingCmd.getInternetProtocol());
+        assertEquals("NSX", cloneVpcOfferingCmd.getProvider());
+        assertEquals("NATTED", cloneVpcOfferingCmd.getNetworkMode());
+        assertEquals("static", cloneVpcOfferingCmd.getRoutingMode());
+        assertEquals(Boolean.TRUE, cloneVpcOfferingCmd.getNsxSupportsLbService());
+        assertEquals(Boolean.FALSE, cloneVpcOfferingCmd.getSpecifyAsNumber());
+        assertEquals(Boolean.TRUE, cloneVpcOfferingCmd.getEnable());
+    }
+
+    @Test
+    public void testSourceOfferingIdNullByDefault() {
+        assertNull(cloneVpcOfferingCmd.getSourceOfferingId());
+    }
+
+    @Test
+    public void testProviderNullByDefault() {
+        assertNull(cloneVpcOfferingCmd.getProvider());
+    }
+
+    @Test
+    public void testServiceCapabilityList() {
+        Map<String, List<String>> serviceCapabilityList = new HashMap<>();
+        serviceCapabilityList.put("Connectivity", Arrays.asList("RegionLevelVpc:true", "DistributedRouter:true"));
+        serviceCapabilityList.put("SourceNat", Arrays.asList("RedundantRouter:true"));
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "serviceCapabilityList", serviceCapabilityList);
+
+        Map<String, List<String>> result = cloneVpcOfferingCmd.getServiceCapabilityList();
+        assertNotNull(result);
+        assertEquals(serviceCapabilityList, result);
+    }
+
+    @Test
+    public void testCloneVpcOfferingWithNsxProvider() {
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "sourceOfferingId", 789L);
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "provider", "NSX");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "nsxSupportsLbService", true);
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "networkMode", "ROUTED");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "routingMode", "dynamic");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "specifyAsNumber", true);
+
+        assertEquals("NSX", cloneVpcOfferingCmd.getProvider());
+        assertEquals(Boolean.TRUE, cloneVpcOfferingCmd.getNsxSupportsLbService());
+        assertEquals("ROUTED", cloneVpcOfferingCmd.getNetworkMode());
+        assertEquals("dynamic", cloneVpcOfferingCmd.getRoutingMode());
+        assertEquals(Boolean.TRUE, cloneVpcOfferingCmd.getSpecifyAsNumber());
+    }
+
+    @Test
+    public void testCloneVpcOfferingWithNetrisProvider() {
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "sourceOfferingId", 789L);
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "provider", "Netris");
+        ReflectionTestUtils.setField(cloneVpcOfferingCmd, "networkMode", "NATTED");
+
+        assertEquals("Netris", cloneVpcOfferingCmd.getProvider());
+        assertEquals("NATTED", cloneVpcOfferingCmd.getNetworkMode());
+    }
+}
diff --git a/engine/components-api/src/main/java/com/cloud/network/IpAddressManager.java b/engine/components-api/src/main/java/com/cloud/network/IpAddressManager.java
index b1cad20b19e..454cb10a2f2 100644
--- a/engine/components-api/src/main/java/com/cloud/network/IpAddressManager.java
+++ b/engine/components-api/src/main/java/com/cloud/network/IpAddressManager.java
@@ -288,4 +288,6 @@ public interface IpAddressManager {
     PublicIpQuarantine updatePublicIpAddressInQuarantine(Long quarantineProcessId, Date endDate);
 
     void updateSourceNatIpAddress(IPAddressVO requestedIp, List<IPAddressVO> userIps) throws Exception;
+
+    Long getPreferredNetworkIdForPublicIpRuleAssignment(IpAddress ip, Long networkId);
 }
diff --git a/engine/components-api/src/main/java/com/cloud/network/lb/LoadBalancingRulesManager.java b/engine/components-api/src/main/java/com/cloud/network/lb/LoadBalancingRulesManager.java
index 669456cbdcc..d8011e9ade1 100644
--- a/engine/components-api/src/main/java/com/cloud/network/lb/LoadBalancingRulesManager.java
+++ b/engine/components-api/src/main/java/com/cloud/network/lb/LoadBalancingRulesManager.java
@@ -39,7 +39,7 @@ import com.cloud.user.Account;
 public interface LoadBalancingRulesManager {
 
     LoadBalancer createPublicLoadBalancer(String xId, String name, String description, int srcPort, int destPort, long sourceIpId, String protocol, String algorithm,
-        boolean openFirewall, CallContext caller, String lbProtocol, Boolean forDisplay, String cidrList) throws NetworkRuleConflictException;
+        boolean openFirewall, CallContext caller, String lbProtocol, Boolean forDisplay, String cidrList, Long networkId) throws NetworkRuleConflictException;
 
     boolean removeAllLoadBalanacersForIp(long ipId, Account caller, long callerUserId);
 
diff --git a/engine/components-api/src/main/java/com/cloud/network/vpc/VpcManager.java b/engine/components-api/src/main/java/com/cloud/network/vpc/VpcManager.java
index e7f41d079a7..792a3a6b397 100644
--- a/engine/components-api/src/main/java/com/cloud/network/vpc/VpcManager.java
+++ b/engine/components-api/src/main/java/com/cloud/network/vpc/VpcManager.java
@@ -211,4 +211,9 @@ public interface VpcManager {
     void reconfigStaticNatForVpcVr(Long vpcId);
 
     boolean applyStaticRouteForVpcVpnIfNeeded(Long vpcId, boolean updateAllVpn) throws ResourceUnavailableException;
+
+    /**
+     * Returns true if the network is part of a VPC, and the VPC is created from conserve mode enabled VPC offering
+     */
+    boolean isNetworkOnVpcEnabledConserveMode(Network network);
 }
diff --git a/engine/schema/src/main/java/com/cloud/network/vpc/VpcOfferingVO.java b/engine/schema/src/main/java/com/cloud/network/vpc/VpcOfferingVO.java
index 9320a37bc96..b913468384e 100644
--- a/engine/schema/src/main/java/com/cloud/network/vpc/VpcOfferingVO.java
+++ b/engine/schema/src/main/java/com/cloud/network/vpc/VpcOfferingVO.java
@@ -91,6 +91,9 @@ public class VpcOfferingVO implements VpcOffering {
     @Column(name = "specify_as_number")
     private Boolean specifyAsNumber = false;
 
+    @Column(name = "conserve_mode")
+    private boolean conserveMode;
+
     public VpcOfferingVO() {
         this.uuid = UUID.randomUUID().toString();
     }
@@ -242,4 +245,13 @@ public class VpcOfferingVO implements VpcOffering {
     public void setSpecifyAsNumber(Boolean specifyAsNumber) {
         this.specifyAsNumber = specifyAsNumber;
     }
+
+    @Override
+    public boolean isConserveMode() {
+        return conserveMode;
+    }
+
+    public void setConserveMode(boolean conserveMode) {
+        this.conserveMode = conserveMode;
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade410to420.java b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade410to420.java
index a78f93fbdd4..5c47087b968 100644
--- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade410to420.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade410to420.java
@@ -1947,7 +1947,7 @@ public class Upgrade410to420 extends DbUpgradeAbstractImpl {
 
                 Map<String, String> detailMap = new HashMap<String, String>();
                 detailMap.put(ApiConstants.S3_ACCESS_KEY, s3_accesskey);
-                detailMap.put(ApiConstants.S3_SECRET_KEY, s3_secretkey);
+                detailMap.put(ApiConstants.SECRET_KEY, s3_secretkey);
                 detailMap.put(ApiConstants.S3_BUCKET_NAME, s3_bucket);
                 detailMap.put(ApiConstants.S3_END_POINT, s3_endpoint);
                 detailMap.put(ApiConstants.S3_HTTPS_FLAG, String.valueOf(s3_https));
diff --git a/engine/schema/src/main/java/com/cloud/user/UserAccountVO.java b/engine/schema/src/main/java/com/cloud/user/UserAccountVO.java
index c5ca410fc53..7345eeb4853 100644
--- a/engine/schema/src/main/java/com/cloud/user/UserAccountVO.java
+++ b/engine/schema/src/main/java/com/cloud/user/UserAccountVO.java
@@ -36,7 +36,6 @@ import org.apache.cloudstack.api.InternalIdentity;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.apache.commons.lang3.StringUtils;
 
-import com.cloud.utils.db.Encrypt;
 import com.cloud.utils.db.GenericDao;
 
 @Entity
@@ -69,13 +68,6 @@ public class UserAccountVO implements UserAccount, InternalIdentity {
     @Column(name = "state")
     private String state;
 
-    @Column(name = "api_key")
-    private String apiKey = null;
-
-    @Encrypt
-    @Column(name = "secret_key")
-    private String secretKey = null;
-
     @Column(name = GenericDao.CREATED_COLUMN)
     private Date created;
 
@@ -203,24 +195,6 @@ public class UserAccountVO implements UserAccount, InternalIdentity {
         this.state = state;
     }
 
-    @Override
-    public String getApiKey() {
-        return apiKey;
-    }
-
-    public void setApiKey(String apiKey) {
-        this.apiKey = apiKey;
-    }
-
-    @Override
-    public String getSecretKey() {
-        return secretKey;
-    }
-
-    public void setSecretKey(String secretKey) {
-        this.secretKey = secretKey;
-    }
-
     @Override
     public Date getCreated() {
         return created;
diff --git a/engine/schema/src/main/java/com/cloud/user/UserVO.java b/engine/schema/src/main/java/com/cloud/user/UserVO.java
index d74aa7ed41b..1b89bc215cf 100644
--- a/engine/schema/src/main/java/com/cloud/user/UserVO.java
+++ b/engine/schema/src/main/java/com/cloud/user/UserVO.java
@@ -33,7 +33,6 @@ import org.apache.cloudstack.api.InternalIdentity;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 
 import com.cloud.user.Account.State;
-import com.cloud.utils.db.Encrypt;
 import com.cloud.utils.db.GenericDao;
 import org.apache.commons.lang3.StringUtils;
 
@@ -71,13 +70,6 @@ public class UserVO implements User, Identity, InternalIdentity {
     @Enumerated(value = EnumType.STRING)
     private State state;
 
-    @Column(name = "api_key")
-    private String apiKey = null;
-
-    @Encrypt
-    @Column(name = "secret_key")
-    private String secretKey = null;
-
     @Column(name = GenericDao.CREATED_COLUMN)
     private Date created;
 
@@ -150,8 +142,6 @@ public class UserVO implements User, Identity, InternalIdentity {
         this.setTimezone(user.getTimezone());
         this.setUuid(user.getUuid());
         this.setSource(user.getSource());
-        this.setApiKey(user.getApiKey());
-        this.setSecretKey(user.getSecretKey());
         this.setExternalEntity(user.getExternalEntity());
         this.setRegistered(user.isRegistered());
         this.setRegistrationToken(user.getRegistrationToken());
@@ -243,26 +233,6 @@ public class UserVO implements User, Identity, InternalIdentity {
         this.state = state;
     }
 
-    @Override
-    public String getApiKey() {
-        return apiKey;
-    }
-
-    @Override
-    public void setApiKey(String apiKey) {
-        this.apiKey = apiKey;
-    }
-
-    @Override
-    public String getSecretKey() {
-        return secretKey;
-    }
-
-    @Override
-    public void setSecretKey(String secretKey) {
-        this.secretKey = secretKey;
-    }
-
     @Override
     public String getTimezone() {
         if (StringUtils.isEmpty(timezone)) {
diff --git a/engine/schema/src/main/java/com/cloud/user/dao/UserAccountDao.java b/engine/schema/src/main/java/com/cloud/user/dao/UserAccountDao.java
index de3b769571e..e377bbab94e 100644
--- a/engine/schema/src/main/java/com/cloud/user/dao/UserAccountDao.java
+++ b/engine/schema/src/main/java/com/cloud/user/dao/UserAccountDao.java
@@ -30,6 +30,4 @@ public interface UserAccountDao extends GenericDao<UserAccountVO, Long> {
     List<UserAccountVO> getUserAccountByEmail(String email, Long domainId);
 
     boolean validateUsernameInDomain(String username, Long domainId);
-
-    UserAccount getUserByApiKey(String apiKey);
 }
diff --git a/engine/schema/src/main/java/com/cloud/user/dao/UserAccountDaoImpl.java b/engine/schema/src/main/java/com/cloud/user/dao/UserAccountDaoImpl.java
index c9de9a367ee..28392abbff5 100644
--- a/engine/schema/src/main/java/com/cloud/user/dao/UserAccountDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/user/dao/UserAccountDaoImpl.java
@@ -19,7 +19,6 @@ package com.cloud.user.dao;
 import com.cloud.user.UserAccount;
 import com.cloud.user.UserAccountVO;
 import com.cloud.utils.db.GenericDaoBase;
-import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
 import org.springframework.stereotype.Component;
 
@@ -28,14 +27,6 @@ import java.util.List;
 @Component
 public class UserAccountDaoImpl extends GenericDaoBase<UserAccountVO, Long> implements UserAccountDao {
 
-    protected final SearchBuilder<UserAccountVO> userAccountSearch;
-
-    public UserAccountDaoImpl() {
-        userAccountSearch = createSearchBuilder();
-        userAccountSearch.and("apiKey", userAccountSearch.entity().getApiKey(), SearchCriteria.Op.EQ);
-        userAccountSearch.done();
-    }
-
     @Override
     public List<UserAccountVO> getAllUsersByNameAndEntity(String username, String entity) {
         if (username == null) {
@@ -79,12 +70,4 @@ public class UserAccountDaoImpl extends GenericDaoBase<UserAccountVO, Long> impl
         }
         return false;
     }
-
-    @Override
-    public UserAccount getUserByApiKey(String apiKey) {
-        SearchCriteria<UserAccountVO> sc = userAccountSearch.create();
-        sc.setParameters("apiKey", apiKey);
-        return findOneBy(sc);
-    }
-
 }
diff --git a/engine/schema/src/main/java/com/cloud/user/dao/UserDao.java b/engine/schema/src/main/java/com/cloud/user/dao/UserDao.java
index 14b07425150..2e160efb950 100644
--- a/engine/schema/src/main/java/com/cloud/user/dao/UserDao.java
+++ b/engine/schema/src/main/java/com/cloud/user/dao/UserDao.java
@@ -37,13 +37,6 @@ public interface UserDao extends GenericDao<UserVO, Long> {
 
     List<UserVO> listByAccount(long accountId);
 
-    /**
-     * Finds a user based on the secret key provided.
-     * @param secretKey
-     * @return
-     */
-    UserVO findUserBySecretKey(String secretKey);
-
     /**
      * Finds a user based on the registration token provided.
      * @param registrationToken
diff --git a/engine/schema/src/main/java/com/cloud/user/dao/UserDaoImpl.java b/engine/schema/src/main/java/com/cloud/user/dao/UserDaoImpl.java
index 8baf732c240..de60e48dff8 100644
--- a/engine/schema/src/main/java/com/cloud/user/dao/UserDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/user/dao/UserDaoImpl.java
@@ -65,10 +65,6 @@ public class UserDaoImpl extends GenericDaoBase<UserVO, Long> implements UserDao
         UserIdSearch.and("id", UserIdSearch.entity().getId(), SearchCriteria.Op.EQ);
         UserIdSearch.done();
 
-        SecretKeySearch = createSearchBuilder();
-        SecretKeySearch.and("secretKey", SecretKeySearch.entity().getSecretKey(), SearchCriteria.Op.EQ);
-        SecretKeySearch.done();
-
         RegistrationTokenSearch = createSearchBuilder();
         RegistrationTokenSearch.and("registrationToken", RegistrationTokenSearch.entity().getRegistrationToken(), SearchCriteria.Op.EQ);
         RegistrationTokenSearch.done();
@@ -121,13 +117,6 @@ public class UserDaoImpl extends GenericDaoBase<UserVO, Long> implements UserDao
         return listBy(sc);
     }
 
-    @Override
-    public UserVO findUserBySecretKey(String secretKey) {
-        SearchCriteria<UserVO> sc = SecretKeySearch.create();
-        sc.setParameters("secretKey", secretKey);
-        return findOneBy(sc);
-    }
-
     @Override
     public UserVO findUserByRegistrationToken(String registrationToken) {
         SearchCriteria<UserVO> sc = RegistrationTokenSearch.create();
diff --git a/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDaoImpl.java b/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDaoImpl.java
index b4ad7d2f42d..589a63ea0d8 100755
--- a/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/vm/dao/VMInstanceDaoImpl.java
@@ -846,15 +846,18 @@ public class VMInstanceDaoImpl extends GenericDaoBase<VMInstanceVO, Long> implem
 
         try {
             pstmtLegacy = txn.prepareAutoCloseStatement(finalQueryLegacy.toString());
-            pstmt = txn.prepareAutoCloseStatement(finalQuery.toString());
             for (int i = 0; i < resourceIdList.size(); i++) {
                 pstmtLegacy.setLong(1 + i, resourceIdList.get(i));
-                pstmt.setLong(1 + i, resourceIdList.get(i));
             }
             ResultSet rs = pstmtLegacy.executeQuery();
             while (rs.next()) {
                 result.put(rs.getString(1).concat(rs.getString(2)), rs.getLong(3));
             }
+
+            pstmt = txn.prepareAutoCloseStatement(finalQuery.toString());
+            for (int i = 0; i < resourceIdList.size(); i++) {
+                pstmt.setLong(1 + i, resourceIdList.get(i));
+            }
             rs = pstmt.executeQuery();
             while (rs.next()) {
                 result.put(rs.getString(1).concat(rs.getString(2)), rs.getLong(3));
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/acl/ApiKeyPairPermissionVO.java b/engine/schema/src/main/java/org/apache/cloudstack/acl/ApiKeyPairPermissionVO.java
new file mode 100644
index 00000000000..7972fe6bc62
--- /dev/null
+++ b/engine/schema/src/main/java/org/apache/cloudstack/acl/ApiKeyPairPermissionVO.java
@@ -0,0 +1,61 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Table;
+
+@Entity
+@Table(name = "api_keypair_permissions")
+public class ApiKeyPairPermissionVO extends RolePermissionBaseVO implements ApiKeyPairPermission {
+    @Column(name = "api_keypair_id")
+    private long apiKeyPairId;
+
+    @Column(name = "sort_order")
+    private long sortOrder = 0;
+
+    public ApiKeyPairPermissionVO(long apiKeyPairId, String rule, Permission permission, String description) {
+        super(rule, permission, description);
+        this.apiKeyPairId = apiKeyPairId;
+    }
+
+    public ApiKeyPairPermissionVO(String rule, Permission permission, String description) {
+        super(rule, permission, description);
+    }
+
+    public ApiKeyPairPermissionVO() {
+    }
+
+    public long getApiKeyPairId() {
+        return this.apiKeyPairId;
+    }
+
+    public void setApiKeyPairId(long keyPairId) {
+        this.apiKeyPairId = keyPairId;
+    }
+
+    public void setSortOrder(long sortOrder) {
+        this.sortOrder = sortOrder;
+    }
+
+    public long getSortOrder() {
+        return sortOrder;
+    }
+}
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/acl/ApiKeyPairVO.java b/engine/schema/src/main/java/org/apache/cloudstack/acl/ApiKeyPairVO.java
new file mode 100644
index 00000000000..eb38b08f615
--- /dev/null
+++ b/engine/schema/src/main/java/org/apache/cloudstack/acl/ApiKeyPairVO.java
@@ -0,0 +1,244 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.user.Account;
+import com.cloud.utils.db.Encrypt;
+import java.time.Instant;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import javax.persistence.Temporal;
+import javax.persistence.TemporalType;
+import java.util.Date;
+import java.util.Objects;
+import java.util.UUID;
+import org.joda.time.DateTime;
+
+@Entity
+@Table(name = "api_keypair")
+public class ApiKeyPairVO implements ApiKeyPair {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id", nullable = false)
+    private Long id;
+
+    @Column(name = "uuid", nullable = false)
+    private String uuid = UUID.randomUUID().toString();
+
+    @Column(name = "user_id", nullable = false)
+    private Long userId;
+
+    @Column(name = "name", nullable = false)
+    private String name;
+
+    @Column(name = "domain_id", nullable = false)
+    private Long domainId;
+
+    @Column(name = "account_id", nullable = false)
+    private Long accountId;
+
+    @Column(name = "start_date")
+    @Temporal(value = TemporalType.TIMESTAMP)
+    private Date startDate;
+
+    @Column(name = "end_date")
+    @Temporal(value = TemporalType.TIMESTAMP)
+    private Date endDate;
+
+    @Column(name = "created", nullable = false)
+    @Temporal(value = TemporalType.TIMESTAMP)
+    private Date created = Date.from(Instant.now());
+
+    @Column(name = "description")
+    private String description = "";
+
+    @Column(name = "api_key", nullable = false)
+    private String apiKey;
+
+    @Encrypt
+    @Column(name = "secret_key", nullable = false)
+    private String secretKey;
+
+    @Column(name = "removed")
+    @Temporal(value = TemporalType.TIMESTAMP)
+    private Date removed;
+
+    public ApiKeyPairVO() {
+    }
+
+    public ApiKeyPairVO(Long id) {
+        this.id = id;
+    }
+
+    public ApiKeyPairVO(Long userId, String description, Date startDate, Date endDate,
+                        String apiKey, String secretKey) {
+        this.userId = userId;
+        this.description = description;
+        this.startDate = startDate;
+        this.endDate = endDate;
+        this.apiKey = apiKey;
+        this.secretKey = secretKey;
+    }
+
+    public ApiKeyPairVO(String name, Long userId, String description, Date startDate, Date endDate, Account account) {
+        this.name = Objects.requireNonNullElseGet(name, () -> userId + " - API key pair");
+        this.userId = userId;
+        this.description = description;
+        this.startDate = startDate;
+        this.endDate = endDate;
+        this.domainId = account.getDomainId();
+        this.accountId = account.getAccountId();
+    }
+
+    public ApiKeyPairVO(Long id, Long userId) {
+        this.id = id;
+        this.userId = userId;
+    }
+
+    public void validateDate() {
+        Date now = DateTime.now().toDate();
+        Date keypairStart = this.getStartDate();
+        Date keypairExpiration = this.getEndDate();
+        if (keypairStart != null && now.compareTo(keypairStart) <= 0) {
+            throw new InvalidParameterValueException(String.format("API key pair is not valid yet, start date: %s", keypairStart));
+        }
+        if (keypairExpiration != null && now.compareTo(keypairExpiration) >= 0) {
+            throw new InvalidParameterValueException(String.format("API key pair is expired, expiration date: %s", keypairExpiration));
+        }
+    }
+
+    public boolean hasEndDatePassed() {
+        Date now = DateTime.now().toDate();
+        Date keypairExpiration = this.getEndDate();
+        return keypairExpiration != null && now.compareTo(keypairExpiration) >= 0;
+    }
+
+    public long getId() {
+        return id;
+    }
+
+    public String getUuid() {
+        return uuid;
+    }
+
+    public Long getUserId() {
+        return userId;
+    }
+
+    public Date getStartDate() {
+        return startDate;
+    }
+
+    public Date getEndDate() {
+        return endDate;
+    }
+
+    public Date getCreated() {
+        return created;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public String getApiKey() {
+        return apiKey;
+    }
+
+    public String getSecretKey() {
+        return secretKey;
+    }
+
+    public Class<?> getEntityType() {
+        return ApiKeyPair.class;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public Date getRemoved() {
+        return removed;
+    }
+
+    @Override
+    public long getDomainId() {
+        return this.domainId;
+    }
+
+    @Override
+    public long getAccountId() {
+        return this.accountId;
+    }
+
+    public void setId(Long id) { this.id = id; }
+
+    public void setUuid(String uuid) {
+        this.uuid = uuid;
+    }
+
+    public void setUserId(Long userId) {
+        this.userId = userId;
+    }
+
+    public void setStartDate(Date startDate) {
+        this.startDate = startDate;
+    }
+
+    public void setEndDate(Date endDate) {
+        this.endDate = endDate;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public void setApiKey(String apiKey) {
+        this.apiKey = apiKey;
+    }
+
+    public void setSecretKey(String secretKey) {
+        this.secretKey = secretKey;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public void setDomainId(Long domainId) {
+        this.domainId = domainId;
+    }
+
+    public void setAccountId(Long accountId) {
+        this.accountId = accountId;
+    }
+
+    public void setCreated(Date created) {
+        this.created = created;
+    }
+
+    public void setRemoved(Date removed) {
+        this.removed = removed;
+    }
+}
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/acl/RolePermissionBaseVO.java b/engine/schema/src/main/java/org/apache/cloudstack/acl/RolePermissionBaseVO.java
index f3347ab6630..588fa029964 100644
--- a/engine/schema/src/main/java/org/apache/cloudstack/acl/RolePermissionBaseVO.java
+++ b/engine/schema/src/main/java/org/apache/cloudstack/acl/RolePermissionBaseVO.java
@@ -50,6 +50,12 @@ public class RolePermissionBaseVO implements RolePermissionEntity {
 
     public RolePermissionBaseVO() { this.uuid = UUID.randomUUID().toString(); }
 
+    public RolePermissionBaseVO(final String rule, final Permission permission) {
+        this();
+        this.rule = rule;
+        this.permission = permission;
+    }
+
     public RolePermissionBaseVO(final String rule, final Permission permission, final String description) {
         this();
         this.rule = rule;
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairDao.java b/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairDao.java
new file mode 100644
index 00000000000..006c2afbc96
--- /dev/null
+++ b/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairDao.java
@@ -0,0 +1,38 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.dao;
+
+import com.cloud.utils.Pair;
+import java.util.List;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
+import com.cloud.utils.db.GenericDao;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
+
+public interface ApiKeyPairDao extends GenericDao<ApiKeyPairVO, Long> {
+    ApiKeyPairVO findBySecretKey(String secretKey);
+
+    ApiKeyPairVO findByApiKey(String apiKey);
+
+    ApiKeyPairVO findByUuid(String uuid);
+
+    Pair<List<ApiKeyPairVO>, Integer> listApiKeysByUserOrApiKeyId(Long userId, Long apiKeyId);
+
+    ApiKeyPairVO getLastApiKeyCreatedByUser(Long userId);
+
+    Pair<List<ApiKeyPairVO>, Integer> listByUserIdsPaginated(List<Long> userIds, ListUserKeysCmd cmd);
+
+}
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairDaoImpl.java b/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairDaoImpl.java
new file mode 100644
index 00000000000..a4895efed9e
--- /dev/null
+++ b/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairDaoImpl.java
@@ -0,0 +1,92 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.dao;
+
+import com.cloud.utils.Pair;
+import com.cloud.utils.db.Filter;
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import java.util.List;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
+import org.apache.commons.collections.CollectionUtils;
+import org.springframework.stereotype.Component;
+
+@Component
+public class ApiKeyPairDaoImpl extends GenericDaoBase<ApiKeyPairVO, Long> implements ApiKeyPairDao {
+    private static final String ID = "id";
+    private static final String USER_ID = "userId";
+    private static final String API_KEY = "apiKey";
+    private static final String SECRET_KEY = "secretKey";
+
+    private final SearchBuilder<ApiKeyPairVO> keyPairSearch;
+
+    ApiKeyPairDaoImpl() {
+        super();
+
+        keyPairSearch = createSearchBuilder();
+        keyPairSearch.and(API_KEY, keyPairSearch.entity().getApiKey(), SearchCriteria.Op.EQ);
+        keyPairSearch.and(SECRET_KEY, keyPairSearch.entity().getSecretKey(), SearchCriteria.Op.EQ);
+        keyPairSearch.and(ID, keyPairSearch.entity().getId(), SearchCriteria.Op.EQ);
+        keyPairSearch.and(USER_ID, keyPairSearch.entity().getUserId(), SearchCriteria.Op.IN);
+        keyPairSearch.done();
+    }
+
+    @Override
+    public ApiKeyPairVO findByApiKey(String apiKey) {
+        SearchCriteria<ApiKeyPairVO> sc = keyPairSearch.create();
+        sc.setParameters(API_KEY, apiKey);
+        return findOneBy(sc);
+    }
+
+    public ApiKeyPairVO findBySecretKey(String secretKey) {
+        SearchCriteria<ApiKeyPairVO> sc = keyPairSearch.create();
+        sc.setParameters(SECRET_KEY, secretKey);
+        return findOneBy(sc);
+    }
+
+    public Pair<List<ApiKeyPairVO>, Integer> listApiKeysByUserOrApiKeyId(Long userId, Long apiKeyId) {
+        SearchCriteria<ApiKeyPairVO> sc = keyPairSearch.create();
+        sc.setParametersIfNotNull(USER_ID, userId);
+        sc.setParametersIfNotNull(ID, apiKeyId);
+        final Filter searchFilter = new Filter(100);
+        return searchAndCount(sc, searchFilter);
+    }
+
+    public ApiKeyPairVO getLastApiKeyCreatedByUser(Long userId) {
+        final SearchCriteria<ApiKeyPairVO> sc = keyPairSearch.create();
+        sc.setParametersIfNotNull(USER_ID, userId);
+        final Filter searchBySorted = new Filter(ApiKeyPairVO.class, ID, false, null, null);
+        return findOneBy(sc, searchBySorted);
+    }
+
+    public Pair<List<ApiKeyPairVO>, Integer> listByUserIdsPaginated(List<Long> userIds, ListUserKeysCmd cmd) {
+        Long pageSizeVal = cmd.getPageSizeVal();
+        Long startIndex = cmd.getStartIndex();
+        Filter searchFilter = new Filter(ApiKeyPairVO.class, ID, true, startIndex, pageSizeVal);
+
+        final SearchCriteria<ApiKeyPairVO> sc = keyPairSearch.create();
+        sc.setParameters(USER_ID, (Object[]) userIds.toArray(new Long[0]));
+
+        Pair<List<ApiKeyPairVO>, Integer> apiKeyPairVOList = searchAndCount(sc, searchFilter);
+        if (CollectionUtils.isEmpty(apiKeyPairVOList.first())) {
+            return new Pair<>(List.of(), 0);
+        }
+        return apiKeyPairVOList;
+    }
+}
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairPermissionsDao.java b/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairPermissionsDao.java
new file mode 100644
index 00000000000..cbca2fd7274
--- /dev/null
+++ b/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairPermissionsDao.java
@@ -0,0 +1,28 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.dao;
+
+import com.cloud.utils.db.GenericDao;
+import org.apache.cloudstack.acl.ApiKeyPairPermissionVO;
+
+import java.util.List;
+
+public interface ApiKeyPairPermissionsDao extends GenericDao<ApiKeyPairPermissionVO, Long> {
+        List<ApiKeyPairPermissionVO> findAllByApiKeyPairId(Long apiKeyPairId);
+
+        List<ApiKeyPairPermissionVO> findAllByKeyPairIdSorted(Long apiKeyPairId);
+}
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairPermissionsDaoImpl.java b/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairPermissionsDaoImpl.java
new file mode 100644
index 00000000000..4510e0ae289
--- /dev/null
+++ b/engine/schema/src/main/java/org/apache/cloudstack/acl/dao/ApiKeyPairPermissionsDaoImpl.java
@@ -0,0 +1,71 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.dao;
+
+import com.cloud.utils.db.Filter;
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+import java.util.Collections;
+import java.util.Objects;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.cloudstack.acl.ApiKeyPairPermissionVO;
+import org.springframework.stereotype.Component;
+
+import java.util.List;
+
+@Component
+public class ApiKeyPairPermissionsDaoImpl extends GenericDaoBase<ApiKeyPairPermissionVO, Long> implements ApiKeyPairPermissionsDao {
+    private static final String API_KEY_PAIR_ID = "apiKeyPairId";
+    private static final String SORT_ORDER = "sortOrder";
+
+    private final SearchBuilder<ApiKeyPairPermissionVO> permissionByApiKeyPairIdSearch;
+
+    public ApiKeyPairPermissionsDaoImpl() {
+        super();
+
+        permissionByApiKeyPairIdSearch = createSearchBuilder();
+        permissionByApiKeyPairIdSearch.and(API_KEY_PAIR_ID, permissionByApiKeyPairIdSearch.entity().getApiKeyPairId(), SearchCriteria.Op.EQ);
+        permissionByApiKeyPairIdSearch.done();
+    }
+
+    public List<ApiKeyPairPermissionVO> findAllByApiKeyPairId(Long apiKeyPairId) {
+        SearchCriteria<ApiKeyPairPermissionVO> sc = permissionByApiKeyPairIdSearch.create();
+        sc.setParameters(API_KEY_PAIR_ID, String.valueOf(apiKeyPairId));
+        return listBy(sc);
+    }
+
+    @Override
+    public ApiKeyPairPermissionVO persist(final ApiKeyPairPermissionVO item) {
+        item.setSortOrder(0);
+        final List<ApiKeyPairPermissionVO> permissionsList = findAllByKeyPairIdSorted(item.getApiKeyPairId());
+        if (!CollectionUtils.isEmpty(permissionsList)) {
+            ApiKeyPairPermissionVO lastPermission = permissionsList.get(permissionsList.size() - 1);
+            item.setSortOrder(lastPermission.getSortOrder() + 1);
+        }
+        return super.persist(item);
+    }
+
+    @Override
+    public List<ApiKeyPairPermissionVO> findAllByKeyPairIdSorted(Long apiKeyPairId) {
+        final SearchCriteria<ApiKeyPairPermissionVO> sc = permissionByApiKeyPairIdSearch.create();
+        sc.setParameters(API_KEY_PAIR_ID, apiKeyPairId);
+        final Filter searchBySorted = new Filter(ApiKeyPairPermissionVO.class, SORT_ORDER, true, null, null);
+        final List<ApiKeyPairPermissionVO> apiKeyPairPermissionList = listBy(sc, searchBySorted);
+        return Objects.requireNonNullElse(apiKeyPairPermissionList, Collections.emptyList());
+    }
+}
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/ImageStoreDetailsDaoImpl.java b/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/ImageStoreDetailsDaoImpl.java
index ec40dc0dd68..d7e88bd31c3 100644
--- a/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/ImageStoreDetailsDaoImpl.java
+++ b/engine/schema/src/main/java/org/apache/cloudstack/storage/datastore/db/ImageStoreDetailsDaoImpl.java
@@ -77,7 +77,7 @@ public class ImageStoreDetailsDaoImpl extends ResourceDetailsDaoBase<ImageStoreD
         for (ImageStoreDetailVO detail : details) {
             String name = detail.getName();
             String value = detail.getValue();
-            if (name.equals(ApiConstants.KEY) || name.equals(ApiConstants.S3_SECRET_KEY)) {
+            if (name.equals(ApiConstants.KEY) || name.equals(ApiConstants.SECRET_KEY)) {
                 value = DBEncryptionUtil.decrypt(value);
             }
             detailsMap.put(name, value);
diff --git a/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml b/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
index 0656d5e3c44..edc14d9fa0c 100644
--- a/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
+++ b/engine/schema/src/main/resources/META-INF/cloudstack/core/spring-engine-schema-core-daos-context.xml
@@ -310,4 +310,6 @@
   <bean id="gpuDeviceDaoImpl" class="com.cloud.gpu.dao.GpuDeviceDaoImpl" />
   <bean id="vgpuProfileDaoImpl" class="com.cloud.gpu.dao.VgpuProfileDaoImpl" />
   <bean id="importVMTaskDaoImpl" class="com.cloud.vm.dao.ImportVMTaskDaoImpl" />
+  <bean id="apiKeyPairDaoImpl" class="org.apache.cloudstack.acl.dao.ApiKeyPairDaoImpl" />
+  <bean id="apiKeyPairPermissionsDaoImpl" class="org.apache.cloudstack.acl.dao.ApiKeyPairPermissionsDaoImpl" />
 </beans>
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
index d330ecd0c0d..d69b524b85d 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
@@ -34,6 +34,19 @@ CREATE TABLE `cloud`.`backup_offering_details` (
 UPDATE `cloud`.`configuration` SET value='random' WHERE name IN ('vm.allocation.algorithm', 'volume.allocation.algorithm') AND value='userconcentratedpod_random';
 UPDATE `cloud`.`configuration` SET value='firstfit' WHERE name IN ('vm.allocation.algorithm', 'volume.allocation.algorithm') AND value='userconcentratedpod_firstfit';
 
+-- Create kubernetes_cluster_affinity_group_map table for CKS per-node-type affinity groups
+CREATE TABLE IF NOT EXISTS `cloud`.`kubernetes_cluster_affinity_group_map` (
+    `id` bigint unsigned NOT NULL AUTO_INCREMENT,
+    `cluster_id` bigint unsigned NOT NULL COMMENT 'kubernetes cluster id',
+    `node_type` varchar(32) NOT NULL COMMENT 'CONTROL, WORKER, or ETCD',
+    `affinity_group_id` bigint unsigned NOT NULL COMMENT 'affinity group id',
+    PRIMARY KEY (`id`),
+    CONSTRAINT `fk_kubernetes_cluster_ag_map__cluster_id` FOREIGN KEY (`cluster_id`) REFERENCES `kubernetes_cluster`(`id`) ON DELETE CASCADE,
+    CONSTRAINT `fk_kubernetes_cluster_ag_map__ag_id` FOREIGN KEY (`affinity_group_id`) REFERENCES `affinity_group`(`id`) ON DELETE CASCADE,
+    INDEX `i_kubernetes_cluster_ag_map__cluster_id`(`cluster_id`),
+    INDEX `i_kubernetes_cluster_ag_map__ag_id`(`affinity_group_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
 -- Create webhook_filter table
 DROP TABLE IF EXISTS `cloud`.`webhook_filter`;
 CREATE TABLE IF NOT EXISTS `cloud`.`webhook_filter` (
@@ -49,3 +62,55 @@ CREATE TABLE IF NOT EXISTS `cloud`.`webhook_filter` (
     INDEX `i_webhook_filter__webhook_id`(`webhook_id`),
     CONSTRAINT `fk_webhook_filter__webhook_id` FOREIGN KEY(`webhook_id`) REFERENCES `webhook`(`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+-- "api_keypair" table for API and secret keys
+CREATE TABLE IF NOT EXISTS `cloud`.`api_keypair` (
+    `id` bigint(20) unsigned NOT NULL auto_increment,
+    `uuid` varchar(40) UNIQUE NOT NULL,
+    `name` varchar(255) NOT NULL,
+    `domain_id` bigint(20) unsigned NOT NULL,
+    `account_id` bigint(20) unsigned NOT NULL,
+    `user_id` bigint(20) unsigned NOT NULL,
+    `start_date` datetime,
+    `end_date` datetime,
+    `description` varchar(100),
+    `api_key` varchar(255) NOT NULL,
+    `secret_key` varchar(255) NOT NULL,
+    `created` datetime NOT NULL,
+    `removed` datetime,
+    PRIMARY KEY (`id`),
+    CONSTRAINT `fk_api_keypair__user_id` FOREIGN KEY(`user_id`) REFERENCES `cloud`.`user`(`id`),
+    CONSTRAINT `fk_api_keypair__account_id` FOREIGN KEY(`account_id`) REFERENCES `cloud`.`account`(`id`),
+    CONSTRAINT `fk_api_keypair__domain_id` FOREIGN KEY(`domain_id`) REFERENCES `cloud`.`domain`(`id`)
+);
+
+-- "api_keypair_permissions" table for API key pairs permissions
+CREATE TABLE IF NOT EXISTS `cloud`.`api_keypair_permissions` (
+    `id` bigint(20) unsigned NOT NULL auto_increment,
+    `uuid` varchar(40) UNIQUE,
+    `sort_order` bigint(20) unsigned NOT NULL DEFAULT 0,
+    `rule` varchar(255) NOT NULL,
+    `api_keypair_id` bigint(20) unsigned NOT NULL,
+    `permission` varchar(255) NOT NULL,
+    `description` varchar(255),
+    PRIMARY KEY (`id`),
+    CONSTRAINT `fk_keypair_permissions__api_keypair_id` FOREIGN KEY(`api_keypair_id`) REFERENCES `cloud`.`api_keypair`(`id`)
+);
+
+-- Populate "api_keypair" table with existing user API keys
+INSERT INTO `cloud`.`api_keypair` (uuid, user_id, domain_id, account_id, api_key, secret_key, created, name)
+SELECT UUID(), user.id, account.domain_id, account.id, user.api_key, user.secret_key, NOW(), 'Active key pair'
+FROM `cloud`.`user` AS user
+JOIN `cloud`.`account` AS account ON user.account_id = account.id
+WHERE user.api_key IS NOT NULL AND user.secret_key IS NOT NULL;
+
+-- Drop API keys from user table
+ALTER TABLE `cloud`.`user` DROP COLUMN api_key, DROP COLUMN secret_key;
+
+-- Grant access to the "deleteUserKeys" API to the "User", "Domain Admin" and "Resource Admin" roles, similarly to the "registerUserKeys" API
+CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('User', 'deleteUserKeys', 'ALLOW');
+CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Domain Admin', 'deleteUserKeys', 'ALLOW');
+CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Resource Admin', 'deleteUserKeys', 'ALLOW');
+
+-- Add conserve mode for VPC offerings
+CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vpc_offerings','conserve_mode', 'tinyint(1) unsigned NULL DEFAULT 0 COMMENT ''True if the VPC offering is IP conserve mode enabled, allowing public IP services to be used across multiple VPC tiers'' ');
diff --git a/engine/schema/src/main/resources/META-INF/db/views/cloud.user_view.sql b/engine/schema/src/main/resources/META-INF/db/views/cloud.user_view.sql
index 340cfa9055f..dcba71e1098 100644
--- a/engine/schema/src/main/resources/META-INF/db/views/cloud.user_view.sql
+++ b/engine/schema/src/main/resources/META-INF/db/views/cloud.user_view.sql
@@ -29,8 +29,6 @@ select
     user.lastname,
     user.email,
     user.state,
-    user.api_key,
-    user.secret_key,
     user.created,
     user.removed,
     user.timezone,
diff --git a/engine/schema/src/main/resources/META-INF/db/views/cloud.vpc_offering_view.sql b/engine/schema/src/main/resources/META-INF/db/views/cloud.vpc_offering_view.sql
index 751d8f91a25..3669bb10122 100644
--- a/engine/schema/src/main/resources/META-INF/db/views/cloud.vpc_offering_view.sql
+++ b/engine/schema/src/main/resources/META-INF/db/views/cloud.vpc_offering_view.sql
@@ -38,6 +38,7 @@ select
     `vpc_offerings`.`sort_key` AS `sort_key`,
     `vpc_offerings`.`routing_mode` AS `routing_mode`,
     `vpc_offerings`.`specify_as_number` AS `specify_as_number`,
+    `vpc_offerings`.`conserve_mode` AS `conserve_mode`,
     group_concat(distinct `domain`.`id` separator ',') AS `domain_id`,
     group_concat(distinct `domain`.`uuid` separator ',') AS `domain_uuid`,
     group_concat(distinct `domain`.`name` separator ',') AS `domain_name`,
diff --git a/engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java b/engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java
index 6a1ddd06dcc..6b21f2c2895 100644
--- a/engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java
+++ b/engine/storage/datamotion/src/main/java/org/apache/cloudstack/storage/motion/StorageSystemDataMotionStrategy.java
@@ -2604,8 +2604,7 @@ public class StorageSystemDataMotionStrategy implements DataMotionStrategy {
                 throw new CloudRuntimeException("Destination storage pool with ID " + dataStore.getId() + " was not located.");
             }
 
-            boolean isSrcAndDestPoolPowerFlexStorage = srcStoragePoolVO.getPoolType().equals(Storage.StoragePoolType.PowerFlex) && destStoragePoolVO.getPoolType().equals(Storage.StoragePoolType.PowerFlex);
-            if (srcStoragePoolVO.isManaged() && !isSrcAndDestPoolPowerFlexStorage && srcStoragePoolVO.getId() != destStoragePoolVO.getId()) {
+            if (srcStoragePoolVO.isManaged() && srcStoragePoolVO.getId() != destStoragePoolVO.getId()) {
                 throw new CloudRuntimeException("Migrating a volume online with KVM from managed storage is not currently supported.");
             }
 
diff --git a/engine/storage/src/main/java/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java b/engine/storage/src/main/java/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java
index dbb606b44a8..51edd62326d 100644
--- a/engine/storage/src/main/java/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java
+++ b/engine/storage/src/main/java/org/apache/cloudstack/storage/image/datastore/ImageStoreHelper.java
@@ -131,7 +131,7 @@ public class ImageStoreHelper {
                 String key = keyIter.next().toString();
                 String value = details.get(key);
                 // encrypt swift key or s3 secret key
-                if (key.equals(ApiConstants.KEY) || key.equals(ApiConstants.S3_SECRET_KEY)) {
+                if (key.equals(ApiConstants.KEY) || key.equals(ApiConstants.SECRET_KEY)) {
                     value = DBEncryptionUtil.encrypt(value);
                 }
                 ImageStoreDetailVO detail = new ImageStoreDetailVO(store.getId(), key, value, true);
diff --git a/framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java b/framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java
index c19ec751153..ef50064050f 100644
--- a/framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java
+++ b/framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java
@@ -420,6 +420,14 @@ public class ConfigKey<T> {
         return value();
     }
 
+    /**
+     * @deprecated
+     * Still used by some external code, but use {@link ConfigKey#valueInScope(Scope, Long)} instead.
+     */
+    public T valueInDomain(Long domainId) {
+        return valueInScope(Scope.Domain, domainId);
+    }
+
     public T valueInScope(Scope scope, Long id) {
         if (id == null) {
             return value();
diff --git a/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java b/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
index 030e0bcf014..f3e2335519a 100644
--- a/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/dynamic-role-based/src/main/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
@@ -17,15 +17,18 @@
 package org.apache.cloudstack.acl;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 import org.apache.cloudstack.acl.RolePermissionEntity.Permission;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.utils.cache.LazyCache;
@@ -47,7 +50,7 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
     private RoleService roleService;
 
     private List<PluggableService> services;
-    private Map<RoleType, Set<String>> annotationRoleBasedApisMap = new HashMap<RoleType, Set<String>>();
+    private Map<RoleType, Set<String>> annotationRoleBasedApisMap = new HashMap<>();
 
     private LazyCache<Long, Account> accountCache;
     private LazyCache<Long, Pair<Role, List<RolePermission>>> rolePermissionsCache;
@@ -56,7 +59,7 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
     protected DynamicRoleBasedAPIAccessChecker() {
         super();
         for (RoleType roleType : RoleType.values()) {
-            annotationRoleBasedApisMap.put(roleType, new HashSet<String>());
+            annotationRoleBasedApisMap.put(roleType, new HashSet<>());
         }
     }
 
@@ -67,9 +70,12 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
         }
 
         List<RolePermission> allPermissions = roleService.findAllPermissionsBy(role.getId());
+        List<RolePermissionEntity> allPermissionEntities = allPermissions.stream().map(permission -> (RolePermissionEntity) permission)
+                .collect(Collectors.toList());
+
         List<String> allowedApis = new ArrayList<>();
         for (String api : apiNames) {
-            if (checkApiPermissionByRole(role, api, allPermissions)) {
+            if (checkApiPermissionByRole(role, api, allPermissionEntities, false)) {
                 allowedApis.add(api);
             }
         }
@@ -84,8 +90,8 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
      * @param allPermissions list of role permissions for the given role
      * @return if the role has the permission for the API
      */
-    public boolean checkApiPermissionByRole(Role role, String apiName, List<RolePermission> allPermissions) {
-        for (final RolePermission permission : allPermissions) {
+    public boolean checkApiPermissionByRole(Role role, String apiName, List<RolePermissionEntity> allPermissions, boolean keyPairOverride) {
+        for (RolePermissionEntity permission : allPermissions) {
             if (!permission.getRule().matches(apiName)) {
                 continue;
             }
@@ -94,13 +100,13 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
                 return false;
             }
 
-            if (logger.isTraceEnabled()) {
-                logger.trace(String.format("The API [%s] is allowed for the role %s by the permission [%s].", apiName, role, permission.getRule().toString()));
-            }
+            logger.trace("The API [{}] is allowed for the role {} by the permission [{}].", apiName, role, permission.getRule().toString());
             return true;
         }
+
         return annotationRoleBasedApisMap.get(role.getRoleType()) != null &&
-                annotationRoleBasedApisMap.get(role.getRoleType()).contains(apiName);
+                annotationRoleBasedApisMap.get(role.getRoleType()).contains(apiName) &&
+                !keyPairOverride;
     }
 
     protected Account getAccountFromId(long accountId) {
@@ -135,49 +141,46 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
     }
 
     @Override
-    public boolean checkAccess(User user, String commandName) throws PermissionDeniedException {
+    public boolean checkAccess(User user, String commandName, ApiKeyPairPermission ... apiKeyPairPermissions) throws PermissionDeniedException {
         if (!isEnabled()) {
             return true;
         }
         Account account = getAccountFromIdUsingCache(user.getAccountId());
         if (account == null) {
-            throw new PermissionDeniedException(String.format("Account for user id [%s] cannot be found", user.getUuid()));
+            throw new PermissionDeniedException(String.format("Account for user with ID [%s] cannot be found", user.getUuid()));
         }
-        Pair<Role, List<RolePermission>> roleAndPermissions = getRolePermissionsUsingCache(account.getRoleId());
-        final Role accountRole = roleAndPermissions.first();
-        if (accountRole == null) {
-            throw new PermissionDeniedException(String.format("Account role for user id [%s] cannot be found.", user.getUuid()));
-        }
-        if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId()) {
-            logger.info("Account for user id {} is Root Admin or Domain Admin, all APIs are allowed.", user.getUuid());
-            return true;
-        }
-        List<RolePermission> allPermissions = roleAndPermissions.second();
-        if (checkApiPermissionByRole(accountRole, commandName, allPermissions)) {
-            return true;
-        }
-        throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account for user id [%s].", commandName, user.getUuid()));
+
+        return checkAccess(account, commandName, apiKeyPairPermissions);
     }
 
-    public boolean checkAccess(Account account, String commandName) {
+    @Override
+    public boolean checkAccess(Account account, String commandName, ApiKeyPairPermission ... apiKeyPairPermissions) {
         Pair<Role, List<RolePermission>> roleAndPermissions = getRolePermissionsUsingCache(account.getRoleId());
         final Role accountRole = roleAndPermissions.first();
         if (accountRole == null) {
             throw new PermissionDeniedException(String.format("The account [%s] has role null or unknown.", account));
         }
 
-        if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId()) {
-            if (logger.isTraceEnabled()) {
-                logger.trace(String.format("Account [%s] is Root Admin or Domain Admin, all APIs are allowed.", account));
-            }
+        if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId() && apiKeyPairPermissions.length == 0) {
+            logger.info("Account [{}] is Root Admin and there aren't any API key pair permissions involved, thus, all APIs are allowed.", account);
             return true;
         }
 
-        List<RolePermission> allPermissions = roleService.findAllPermissionsBy(accountRole.getId());
-        if (checkApiPermissionByRole(accountRole, commandName, allPermissions)) {
+        boolean considerKeyPairPermissions = apiKeyPairPermissions.length > 0;
+        List<RolePermissionEntity> allRules = considerKeyPairPermissions ? Arrays.asList(apiKeyPairPermissions) : new ArrayList<>(roleAndPermissions.second());
+        if (checkApiPermissionByRole(accountRole, commandName, allRules, considerKeyPairPermissions)) {
             return true;
         }
-        throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account %s.", commandName, account));
+
+        throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account %s.", commandName, account.getAccountName()));
+    }
+
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return annotationRoleBasedApisMap.get(roleType)
+                .stream()
+                .map(implicitApi -> new RolePermissionBaseVO(implicitApi, Permission.ALLOW))
+                .collect(Collectors.toList());
     }
 
     /**
diff --git a/plugins/acl/dynamic-role-based/src/test/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessCheckerTest.java b/plugins/acl/dynamic-role-based/src/test/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessCheckerTest.java
index e58be3a75e7..71fbbb4a365 100644
--- a/plugins/acl/dynamic-role-based/src/test/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessCheckerTest.java
+++ b/plugins/acl/dynamic-role-based/src/test/java/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessCheckerTest.java
@@ -22,6 +22,8 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
+import com.cloud.exception.UnavailableCommandException;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
@@ -195,4 +197,68 @@ public class DynamicRoleBasedAPIAccessCheckerTest extends TestCase {
         List<String> apisReceived = apiAccessCheckerSpy.getApisAllowedToUser(getTestRole(), getTestUser(), apiNames);
         Assert.assertEquals(0, apisReceived.size());
     }
+
+    @Test(expected = UnavailableCommandException.class)
+    public void checkAccessTestInvalidApiKeyPairPermission() {
+        final String api = "someDeniedApi";
+        final ApiKeyPairPermission permission = new ApiKeyPairPermissionVO(1L, api, Permission.DENY, null);
+        assertFalse(apiAccessCheckerSpy.checkAccess(getTestUser(), api, permission));
+    }
+
+    @Test(expected = UnavailableCommandException.class)
+    public void checkAccessTestUnrelatedApiKeyPairPermission() {
+        final String api = "someDeniedApi";
+        final ApiKeyPairPermission permission = new ApiKeyPairPermissionVO(1L, "apiName", Permission.ALLOW, null);
+        assertFalse(apiAccessCheckerSpy.checkAccess(getTestUser(), api, permission));
+    }
+
+    @Test
+    public void checkAccessTestValidApiKeyPairPermission() {
+        final String api = "someAllowedApi";
+        final ApiKeyPairPermission permission = new ApiKeyPairPermissionVO(1L, api, Permission.ALLOW, null);
+        assertTrue(apiAccessCheckerSpy.checkAccess(getTestUser(), api, permission));
+    }
+
+    @Test
+    public void checkAccessTestValidMultipleApiKeyPermissions() {
+        final String api = "someAllowedApi";
+        final ApiKeyPairPermission[] permissions = new ApiKeyPairPermission[]{
+            new ApiKeyPairPermissionVO(1L, "someDeniedApi", Permission.DENY, null),
+            new ApiKeyPairPermissionVO(1L, api, Permission.ALLOW, null)
+        };
+        assertTrue(apiAccessCheckerSpy.checkAccess(getTestUser(), api, permissions));
+    }
+
+    @Test(expected = UnavailableCommandException.class)
+    public void checkAccessTestInvalidMultipleApiKeyPermissions() {
+        final String api = "someDeniedApi";
+        final ApiKeyPairPermission[] permissions = new ApiKeyPairPermission[]{
+                new ApiKeyPairPermissionVO(1L, "someAllowedApi", Permission.ALLOW, null),
+                new ApiKeyPairPermissionVO(1L, api, Permission.DENY, null)
+        };
+        assertFalse(apiAccessCheckerSpy.checkAccess(getTestUser(), api, permissions));
+    }
+
+
+    @Test
+    public void checkAccessTestValidApiKeyPairPermissionWithNullOverride() {
+        final String api = "someAllowedApi";
+        final ApiKeyPairPermission[] emptyPermissionArray = List.of().toArray(new ApiKeyPairPermission[0]);
+        final RolePermission permission = new RolePermissionVO(1L, api, Permission.ALLOW, null);
+        Mockito.doReturn(Collections.singletonList(permission)).when(roleServiceMock).findAllPermissionsBy(Mockito.anyLong());
+
+        assertTrue(apiAccessCheckerSpy.checkAccess(getTestUser(), api, emptyPermissionArray));
+        Mockito.verify(roleServiceMock).findAllPermissionsBy(Mockito.anyLong());
+    }
+
+    @Test(expected = UnavailableCommandException.class)
+    public void checkAccessTestInvalidApiKeyPairPermissionWithNullOverride() {
+        final String api = "someDeniedApi";
+        final ApiKeyPairPermission[] emptyPermissionArray = List.of().toArray(new ApiKeyPairPermission[0]);
+        final RolePermission permission = new RolePermissionVO(1L, api, Permission.DENY, null);
+        Mockito.doReturn(Collections.singletonList(permission)).when(roleServiceMock).findAllPermissionsBy(Mockito.anyLong());
+
+        assertTrue(apiAccessCheckerSpy.checkAccess(getTestUser(), api, emptyPermissionArray));
+        Mockito.verify(roleServiceMock, Mockito.times(1)).findAllPermissionsBy(Mockito.anyLong());
+    }
 }
diff --git a/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java b/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java
index 2e7ae23d6f1..8513f458660 100644
--- a/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java
+++ b/plugins/acl/project-role-based/src/main/java/org/apache/cloudstack/acl/ProjectRoleBasedApiAccessChecker.java
@@ -23,6 +23,7 @@ import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 import org.apache.cloudstack.acl.RolePermissionEntity.Permission;
 
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 import org.apache.cloudstack.context.CallContext;
 
 import com.cloud.exception.PermissionDeniedException;
@@ -105,7 +106,7 @@ public class ProjectRoleBasedApiAccessChecker  extends AdapterBase implements AP
     }
 
     @Override
-    public boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException {
+    public boolean checkAccess(User user, String apiCommandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException {
         if (!isEnabled()) {
             return true;
         }
@@ -150,7 +151,7 @@ public class ProjectRoleBasedApiAccessChecker  extends AdapterBase implements AP
     }
 
     @Override
-    public boolean checkAccess(Account account, String apiCommandName) throws PermissionDeniedException {
+    public boolean checkAccess(Account account, String apiCommandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException {
         return true;
     }
 
@@ -182,6 +183,11 @@ public class ProjectRoleBasedApiAccessChecker  extends AdapterBase implements AP
         return true;
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return List.of();
+    }
+
     @Override
     public boolean start() {
         return super.start();
diff --git a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index 3444f967d78..6cf4da88f5c 100644
--- a/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++ b/plugins/acl/static-role-based/src/main/java/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -21,11 +21,13 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
 import com.cloud.exception.UnavailableCommandException;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 
 import org.apache.cloudstack.api.APICommand;
 
@@ -90,7 +92,7 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
     }
 
     @Override
-    public boolean checkAccess(User user, String commandName) throws PermissionDeniedException {
+    public boolean checkAccess(User user, String commandName, ApiKeyPairPermission... apiKeyPairPermissions) throws PermissionDeniedException {
         if (!isEnabled()) {
             return true;
         }
@@ -104,7 +106,7 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
     }
 
     @Override
-    public boolean checkAccess(Account account, String commandName) {
+    public boolean checkAccess(Account account, String commandName, ApiKeyPairPermission... apiKeyPairPermissions) {
         if (!isEnabled()) {
             return true;
         }
@@ -163,6 +165,14 @@ public class StaticRoleBasedAPIAccessChecker extends AdapterBase implements APIA
         return super.start();
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return annotationRoleBasedApisMap.get(roleType)
+                .stream()
+                .map(implicitApi -> new RolePermissionBaseVO(implicitApi, RolePermissionEntity.Permission.ALLOW))
+                .collect(Collectors.toList());
+    }
+
     private void processMapping(Map<String, String> configMap) {
         for (Map.Entry<String, String> entry : configMap.entrySet()) {
             String apiName = entry.getKey();
diff --git a/plugins/api/discovery/pom.xml b/plugins/api/discovery/pom.xml
index b0f29612911..1992da81e5f 100644
--- a/plugins/api/discovery/pom.xml
+++ b/plugins/api/discovery/pom.xml
@@ -39,6 +39,12 @@
             <artifactId>cloud-utils</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-plugin-api-limit-account-based</artifactId>
+            <version>${project.version}</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
     <build>
         <plugins>
diff --git a/plugins/api/discovery/src/main/java/org/apache/cloudstack/api/command/user/discovery/ListApisCmd.java b/plugins/api/discovery/src/main/java/org/apache/cloudstack/api/command/user/discovery/ListApisCmd.java
index 9c01435fbf4..8cd31939da0 100644
--- a/plugins/api/discovery/src/main/java/org/apache/cloudstack/api/command/user/discovery/ListApisCmd.java
+++ b/plugins/api/discovery/src/main/java/org/apache/cloudstack/api/command/user/discovery/ListApisCmd.java
@@ -52,7 +52,7 @@ public class ListApisCmd extends BaseCmd {
     public void execute() throws ServerApiException {
         if (_apiDiscoveryService != null) {
             User user = CallContext.current().getCallingUser();
-            ListResponse<ApiDiscoveryResponse> response = (ListResponse<ApiDiscoveryResponse>)_apiDiscoveryService.listApis(user, name);
+            ListResponse<ApiDiscoveryResponse> response = (ListResponse<ApiDiscoveryResponse>)_apiDiscoveryService.listApis(user, name, this);
             if (response == null) {
                 throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Api Discovery plugin was unable to find an api by that name or process any apis");
             }
diff --git a/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryService.java b/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryService.java
index 5a6eab7389d..073010a8eb6 100644
--- a/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryService.java
+++ b/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryService.java
@@ -18,6 +18,7 @@ package org.apache.cloudstack.discovery;
 
 import com.cloud.user.Account;
 import org.apache.cloudstack.api.BaseResponse;
+import org.apache.cloudstack.api.command.user.discovery.ListApisCmd;
 import org.apache.cloudstack.api.response.ListResponse;
 
 import com.cloud.user.User;
@@ -28,5 +29,5 @@ import java.util.List;
 public interface ApiDiscoveryService extends PluggableService {
     List<String> listApiNames(Account account);
 
-    ListResponse<? extends BaseResponse> listApis(User user, String apiName);
+    ListResponse<? extends BaseResponse> listApis(User user, String apiName, ListApisCmd cmd);
 }
diff --git a/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java b/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java
index 4493f1e9074..d412f12fce2 100644
--- a/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java
+++ b/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java
@@ -26,6 +26,7 @@ import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 
@@ -33,6 +34,8 @@ import org.apache.cloudstack.acl.APIChecker;
 import org.apache.cloudstack.acl.Role;
 import org.apache.cloudstack.acl.RoleService;
 import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.RolePermissionEntity;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairService;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.BaseAsyncCmd;
 import org.apache.cloudstack.api.BaseAsyncCreateCmd;
@@ -44,6 +47,7 @@ import org.apache.cloudstack.api.response.ApiDiscoveryResponse;
 import org.apache.cloudstack.api.response.ApiParameterResponse;
 import org.apache.cloudstack.api.response.ApiResponseResponse;
 import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.ratelimit.ApiRateLimitService;
 import org.apache.cloudstack.resourcedetail.UserDetailVO;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.apache.commons.collections.CollectionUtils;
@@ -78,6 +82,9 @@ public class ApiDiscoveryServiceImpl extends ComponentLifecycleBase implements A
     @Inject
     RoleService roleService;
 
+    @Inject
+    ApiKeyPairService apiKeyPairService;
+
     protected ApiDiscoveryServiceImpl() {
         super();
     }
@@ -257,16 +264,24 @@ public class ApiDiscoveryServiceImpl extends ComponentLifecycleBase implements A
     }
 
     @Override
-    public ListResponse<? extends BaseResponse> listApis(User user, String name) {
+    public ListResponse<? extends BaseResponse> listApis(User user, String name, ListApisCmd cmd) {
         ListResponse<ApiDiscoveryResponse> response = new ListResponse<>();
         List<ApiDiscoveryResponse> responseList = new ArrayList<>();
         List<String> apisAllowed = new ArrayList<>(s_apiNameDiscoveryResponseMap.keySet());
+        String apikey = accountService.getAccessingApiKey(cmd);
 
         if (user == null)
             return null;
-        Account account = accountService.getAccount(user.getAccountId());
 
-        if (name != null) {
+        Account account = accountService.getAccount(user.getAccountId());
+        if (account == null) {
+            throw new PermissionDeniedException(String.format("The account with id [%s] for user [%s] is null.", user.getAccountId(), user));
+        }
+
+        Role role = roleService.findRole(account.getRoleId());
+        if (apikey != null) {
+            responseList = listApisForKeyPair(apikey, name, user, role, apisAllowed);
+        } else if (name != null) {
             if (!s_apiNameDiscoveryResponseMap.containsKey(name))
                 return null;
 
@@ -281,11 +296,6 @@ public class ApiDiscoveryServiceImpl extends ComponentLifecycleBase implements A
             responseList.add(getApiDiscoveryResponseWithAccessibleParams(name, account));
 
         } else {
-            if (account == null) {
-                throw new PermissionDeniedException(String.format("The account with id [%s] for user [%s] is null.", user.getAccountId(), user));
-            }
-
-            final Role role = roleService.findRole(account.getRoleId());
             if (role == null || role.getId() < 1L) {
                 throw new PermissionDeniedException(String.format("The account [%s] has role null or unknown.",
                         ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
@@ -343,6 +353,44 @@ public class ApiDiscoveryServiceImpl extends ComponentLifecycleBase implements A
         return cmdList;
     }
 
+    protected List<ApiDiscoveryResponse> listApisForKeyPair(String apiKey, String apiName, User user, Role role, List<String> apisAllowed) {
+        List<RolePermissionEntity> keyPairPermissions = accountService.getAllKeypairPermissions(apiKey);
+
+        List<String> filteredApis = new ArrayList<>();
+        if (apiName != null && isApiAllowedForKey(keyPairPermissions, apiName)) {
+            filteredApis = List.of(apiName);
+        } else {
+            for (String api : apisAllowed) {
+                if (isApiAllowedForKey(keyPairPermissions, api)) {
+                    filteredApis.add(api);
+                }
+            }
+        }
+
+        checkRateLimit(user, role, filteredApis);
+        return filteredApis.stream().map(api -> s_apiNameDiscoveryResponseMap.get(api)).collect(Collectors.toList());
+    }
+
+    protected boolean isApiAllowedForKey(List<RolePermissionEntity> rolePermissionEntities, String apiName) {
+        for (RolePermissionEntity rolePermissionEntity : rolePermissionEntities) {
+            if (!rolePermissionEntity.getRule().matches(apiName)) {
+                continue;
+            }
+            return rolePermissionEntity.getPermission().equals(RolePermissionEntity.Permission.ALLOW);
+        }
+        return false;
+    }
+
+    private void checkRateLimit(User user, Role role, List<String> apiNames) {
+        for (APIChecker apiChecker : _apiAccessCheckers) {
+            if (!(apiChecker instanceof ApiRateLimitService)) {
+                continue;
+            }
+            apiChecker.getApisAllowedToUser(role, user, apiNames);
+            return;
+        }
+    }
+
     public List<APIChecker> getApiAccessCheckers() {
         return _apiAccessCheckers;
     }
diff --git a/plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java b/plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java
index d33774cad03..59415ccd1eb 100644
--- a/plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java
+++ b/plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java
@@ -99,7 +99,7 @@ public class ApiDiscoveryTest {
     @Test (expected = PermissionDeniedException.class)
     public void listApisTestThrowPermissionDeniedExceptionOnAccountNull() throws PermissionDeniedException {
         Mockito.when(accountServiceMock.getAccount(Mockito.anyLong())).thenReturn(null);
-        discoveryServiceSpy.listApis(getTestUser(), null);
+        discoveryServiceSpy.listApis(getTestUser(), null, null);
     }
 
     @Test (expected = PermissionDeniedException.class)
@@ -107,7 +107,7 @@ public class ApiDiscoveryTest {
         Mockito.when(accountServiceMock.getAccount(Mockito.anyLong())).thenReturn(getNormalAccount());
         Mockito.when(roleServiceMock.findRole(Mockito.anyLong())).thenReturn(null);
 
-        discoveryServiceSpy.listApis(getTestUser(), null);
+        discoveryServiceSpy.listApis(getTestUser(), null, null);
     }
 
     @Test (expected = PermissionDeniedException.class)
@@ -117,7 +117,7 @@ public class ApiDiscoveryTest {
         Mockito.when(accountServiceMock.getAccount(Mockito.anyLong())).thenReturn(getNormalAccount());
         Mockito.when(roleServiceMock.findRole(Mockito.anyLong())).thenReturn(unknownRoleVO);
 
-        discoveryServiceSpy.listApis(getTestUser(), null);
+        discoveryServiceSpy.listApis(getTestUser(), null, null);
     }
 
     @Test
@@ -128,7 +128,7 @@ public class ApiDiscoveryTest {
         Mockito.when(accountServiceMock.getAccount(Mockito.anyLong())).thenReturn(adminAccountVO);
         Mockito.when(roleServiceMock.findRole(Mockito.anyLong())).thenReturn(adminRoleVO);
 
-        discoveryServiceSpy.listApis(getTestUser(), null);
+        discoveryServiceSpy.listApis(getTestUser(), null, null);
 
         Mockito.verify(apiCheckerMock, Mockito.times(0)).getApisAllowedToUser(any(Role.class), any(User.class), anyList());
     }
@@ -140,7 +140,7 @@ public class ApiDiscoveryTest {
         Mockito.when(accountServiceMock.getAccount(Mockito.anyLong())).thenReturn(getNormalAccount());
         Mockito.when(roleServiceMock.findRole(Mockito.anyLong())).thenReturn(userRoleVO);
 
-        discoveryServiceSpy.listApis(getTestUser(), null);
+        discoveryServiceSpy.listApis(getTestUser(), null, null);
 
         Mockito.verify(apiCheckerMock, Mockito.times(1)).getApisAllowedToUser(any(Role.class), any(User.class), anyList());
     }
@@ -153,7 +153,7 @@ public class ApiDiscoveryTest {
         Mockito.when(mockUserAccount.getDetails()).thenReturn(userDetails);
         Mockito.when(accountServiceMock.getAccount(Mockito.anyLong())).thenReturn(getNormalAccount());
         Mockito.when(roleServiceMock.findRole(Mockito.anyLong())).thenReturn(userRoleVO);
-        discoveryServiceSpy.listApis(getTestUser(), null);
+        discoveryServiceSpy.listApis(getTestUser(), null, null);
         Mockito.verify(apiCheckerMock, Mockito.times(1)).getApisAllowedToUser(any(Role.class), any(User.class), anyList());
     }
 
@@ -166,7 +166,7 @@ public class ApiDiscoveryTest {
         Mockito.when(accountServiceMock.getAccount(Mockito.anyLong())).thenReturn(getNormalAccount());
         Mockito.when(roleServiceMock.findRole(Mockito.anyLong())).thenReturn(userRoleVO);
         Mockito.when(apiNameDiscoveryResponseMapMock.get(Mockito.anyString())).thenReturn(Mockito.mock(ApiDiscoveryResponse.class));
-        ListResponse<ApiDiscoveryResponse> response = (ListResponse<ApiDiscoveryResponse>) discoveryServiceSpy.listApis(getTestUser(), null);
+        ListResponse<ApiDiscoveryResponse> response = (ListResponse<ApiDiscoveryResponse>) discoveryServiceSpy.listApis(getTestUser(), null, null);
         Assert.assertEquals(4, response.getResponses().size());
     }
 }
diff --git a/plugins/api/rate-limit/src/main/java/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java b/plugins/api/rate-limit/src/main/java/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java
index 917cd7bb2b4..afa2b6155de 100644
--- a/plugins/api/rate-limit/src/main/java/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java
+++ b/plugins/api/rate-limit/src/main/java/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java
@@ -27,6 +27,9 @@ import net.sf.ehcache.Cache;
 import net.sf.ehcache.CacheManager;
 
 import org.apache.cloudstack.acl.Role;
+import org.apache.cloudstack.acl.RolePermissionEntity;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.springframework.stereotype.Component;
 
@@ -161,17 +164,17 @@ public class ApiRateLimitServiceImpl extends AdapterBase implements APIChecker,
     }
 
     @Override
-    public boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException {
+    public boolean checkAccess(User user, String apiCommandName, ApiKeyPairPermission ... apiKeyPairPermissions) throws PermissionDeniedException {
         if (!isEnabled()) {
             return true;
         }
 
         Account account = _accountService.getAccount(user.getAccountId());
-        return checkAccess(account, apiCommandName);
+        return checkAccess(account, apiCommandName, apiKeyPairPermissions);
     }
 
     @Override
-    public boolean checkAccess(Account account, String commandName) {
+    public boolean checkAccess(Account account, String commandName, ApiKeyPairPermission ... apiKeyPairPermissions) {
         Long accountId = account.getAccountId();
         if (_accountService.isRootAdmin(accountId)) {
             logger.info(String.format("Account [%s] is Root Admin, in this case, API limit does not apply.",
@@ -207,6 +210,11 @@ public class ApiRateLimitServiceImpl extends AdapterBase implements APIChecker,
         return true;
     }
 
+    @Override
+    public List<RolePermissionEntity> getImplicitRolePermissions(RoleType roleType) {
+        return List.of();
+    }
+
     @Override
     public boolean isEnabled() {
         if (!enabled) {
diff --git a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImpl.java b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImpl.java
index 42e94c1c017..f9456587058 100644
--- a/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImpl.java
+++ b/plugins/database/quota/src/main/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImpl.java
@@ -252,7 +252,7 @@ public class QuotaResponseBuilderImpl implements QuotaResponseBuilder {
     }
 
     public boolean isUserAllowedToSeeActivationRules(User user) {
-        List<ApiDiscoveryResponse> apiList = (List<ApiDiscoveryResponse>) apiDiscoveryService.listApis(user, null).getResponses();
+        List<ApiDiscoveryResponse> apiList = (List<ApiDiscoveryResponse>) apiDiscoveryService.listApis(user, null, null).getResponses();
         return apiList.stream().anyMatch(response -> StringUtils.equalsAny(response.getName(), "quotaTariffCreate", "quotaTariffUpdate"));
     }
 
diff --git a/plugins/database/quota/src/test/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImplTest.java b/plugins/database/quota/src/test/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImplTest.java
index 1f5480404e4..3629bf2e3fe 100644
--- a/plugins/database/quota/src/test/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImplTest.java
+++ b/plugins/database/quota/src/test/java/org/apache/cloudstack/api/response/QuotaResponseBuilderImplTest.java
@@ -652,7 +652,7 @@ public class QuotaResponseBuilderImplTest extends TestCase {
         ListResponse<ApiDiscoveryResponse> responseList = new ListResponse<>();
         responseList.setResponses(cmdList);
 
-        Mockito.doReturn(responseList).when(discoveryServiceMock).listApis(userMock, null);
+        Mockito.doReturn(responseList).when(discoveryServiceMock).listApis(userMock, null, null);
 
         assertTrue(quotaResponseBuilderSpy.isUserAllowedToSeeActivationRules(userMock));
     }
@@ -668,7 +668,7 @@ public class QuotaResponseBuilderImplTest extends TestCase {
         ListResponse<ApiDiscoveryResponse> responseList = new ListResponse<>();
         responseList.setResponses(cmdList);
 
-        Mockito.doReturn(responseList).when(discoveryServiceMock).listApis(userMock, null);
+        Mockito.doReturn(responseList).when(discoveryServiceMock).listApis(userMock, null, null);
 
         assertTrue(quotaResponseBuilderSpy.isUserAllowedToSeeActivationRules(userMock));
     }
@@ -684,7 +684,7 @@ public class QuotaResponseBuilderImplTest extends TestCase {
         ListResponse<ApiDiscoveryResponse> responseList = new ListResponse<>();
         responseList.setResponses(cmdList);
 
-        Mockito.doReturn(responseList).when(discoveryServiceMock).listApis(userMock, null);
+        Mockito.doReturn(responseList).when(discoveryServiceMock).listApis(userMock, null, null);
 
         assertFalse(quotaResponseBuilderSpy.isUserAllowedToSeeActivationRules(userMock));
     }
diff --git a/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/manager/BaremetalVlanManagerImpl.java b/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/manager/BaremetalVlanManagerImpl.java
index 5695325fb13..c05d52326ce 100644
--- a/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/manager/BaremetalVlanManagerImpl.java
+++ b/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/manager/BaremetalVlanManagerImpl.java
@@ -263,9 +263,8 @@ public class BaremetalVlanManagerImpl extends ManagerBase implements BaremetalVl
         user.setSource(User.Source.UNKNOWN);
         user = userDao.persist(user);
 
-        String[] keys = acntMgr.createApiKeyAndSecretKey(user.getId());
-        user.setApiKey(keys[0]);
-        user.setSecretKey(keys[1]);
+        acntMgr.createApiKeyAndSecretKey(user.getId());
+
         userDao.update(user.getId(), user);
         return true;
     }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
index 0a90352f70d..5d966634d4c 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
@@ -884,7 +884,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     protected StorageSubsystemCommandHandler storageHandler;
 
     private boolean convertInstanceVerboseMode = false;
-    private String[] convertInstanceEnv = null;
+    private Map<String, String> convertInstanceEnv = null;
     protected boolean dpdkSupport = false;
     protected String dpdkOvsPath;
     protected String directDownloadTemporaryDownloadPath;
@@ -949,7 +949,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
         return convertInstanceVerboseMode;
     }
 
-    public String[] getConvertInstanceEnv() {
+    public Map<String, String> getConvertInstanceEnv() {
         return convertInstanceEnv;
     }
 
@@ -1439,14 +1439,14 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
             return;
         }
         if (StringUtils.isNotBlank(convertEnvTmpDir) && StringUtils.isNotBlank(convertEnvVirtv2vTmpDir)) {
-            convertInstanceEnv = new String[2];
-            convertInstanceEnv[0] = String.format("%s=%s", "TMPDIR", convertEnvTmpDir);
-            convertInstanceEnv[1] = String.format("%s=%s", "VIRT_V2V_TMPDIR", convertEnvVirtv2vTmpDir);
+            convertInstanceEnv = new HashMap<>(2);
+            convertInstanceEnv.put("TMPDIR", convertEnvTmpDir);
+            convertInstanceEnv.put("VIRT_V2V_TMPDIR", convertEnvVirtv2vTmpDir);
         } else {
-            convertInstanceEnv = new String[1];
+            convertInstanceEnv = new HashMap<>(1);
             String key = StringUtils.isNotBlank(convertEnvTmpDir) ? "TMPDIR" : "VIRT_V2V_TMPDIR";
             String value = StringUtils.isNotBlank(convertEnvTmpDir) ? convertEnvTmpDir : convertEnvVirtv2vTmpDir;
-            convertInstanceEnv[0] = String.format("%s=%s", key, value);
+            convertInstanceEnv.put(key, value);
         }
     }
 
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapper.java
index 93895349a6e..66a5f5dd7d2 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtConvertInstanceCommandWrapper.java
@@ -22,9 +22,11 @@ import java.net.URLEncoder;
 import java.nio.charset.Charset;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Map;
 import java.util.UUID;
 
 import org.apache.cloudstack.storage.to.PrimaryDataStoreTO;
+import org.apache.commons.collections4.MapUtils;
 import org.apache.commons.lang3.StringUtils;
 
 import com.cloud.agent.api.Answer;
@@ -244,7 +246,12 @@ public class LibvirtConvertInstanceCommandWrapper extends CommandWrapper<Convert
 
         String logPrefix = String.format("(%s) virt-v2v ovf source: %s progress", originalVMName, sourceOVFDirPath);
         OutputInterpreter.LineByLineOutputLogger outputLogger = new OutputInterpreter.LineByLineOutputLogger(logger, logPrefix);
-        script.execute(outputLogger);
+        Map<String, String> convertInstanceEnv = serverResource.getConvertInstanceEnv();
+        if (MapUtils.isEmpty(convertInstanceEnv)) {
+            script.execute(outputLogger);
+        } else {
+            script.execute(outputLogger, convertInstanceEnv);
+        }
         int exitValue = script.getExitValue();
         return exitValue == 0;
     }
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/storage/ScaleIOStorageAdaptorTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/storage/ScaleIOStorageAdaptorTest.java
index eddaa8f6499..2d51637c524 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/storage/ScaleIOStorageAdaptorTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/storage/ScaleIOStorageAdaptorTest.java
@@ -180,7 +180,8 @@ public class ScaleIOStorageAdaptorTest {
         details.put(ScaleIOGatewayClient.STORAGE_POOL_MDMS, "1.1.1.1,2.2.2.2");
         when(Script.runSimpleBashScriptForExitValue(Mockito.eq("systemctl status scini"))).thenReturn(3);
         when(Script.runSimpleBashScriptForExitValue(Mockito.eq("systemctl is-enabled scini"))).thenReturn(0);
-        when(Script.runSimpleBashScript(Mockito.eq("/opt/emc/scaleio/sdc/bin/drv_cfg --query_mdms|grep 1.1.1.1"))).thenReturn("MDM-ID 71fd458f0775010f SDC ID 4421a91a00000000 INSTALLATION ID 204930df2cbcaf8e IPs [0]-3.3.3.3 [1]-4.4.4.4");
+        when(Script.runSimpleBashScript(Mockito.eq("/opt/emc/scaleio/sdc/bin/drv_cfg --query_mdms|grep 1.1.1.1"), Mockito.eq(ScaleIOUtil.DEFAULT_TIMEOUT_MS)))
+                .thenReturn("MDM-ID 71fd458f0775010f SDC ID 4421a91a00000000 INSTALLATION ID 204930df2cbcaf8e IPs [0]-3.3.3.3 [1]-4.4.4.4");
 
         Pair<Boolean, String> result = scaleIOStorageAdaptor.unprepareStorageClient(poolUuid, details);
 
@@ -196,11 +197,11 @@ public class ScaleIOStorageAdaptorTest {
         when(Script.runSimpleBashScriptForExitValue(Mockito.eq("systemctl is-enabled scini"))).thenReturn(0);
         when(Script.executeCommand(Mockito.eq("sed -i '/1.1.1.1\\,/d' /etc/emc/scaleio/drv_cfg.txt"))).thenReturn(new Pair<>(null, null));
         when(Script.runSimpleBashScriptForExitValue(Mockito.eq("systemctl restart scini"))).thenReturn(0);
-        when(Script.runSimpleBashScript(Mockito.eq("/opt/emc/scaleio/sdc/bin/drv_cfg --query_mdms|grep 1.1.1.1"))).thenReturn("MDM-ID 71fd458f0775010f SDC ID 4421a91a00000000 INSTALLATION ID 204930df2cbcaf8e IPs [0]-1.1.1.1 [1]-2.2.2.2");
+        when(Script.runSimpleBashScript(Mockito.eq("/opt/emc/scaleio/sdc/bin/drv_cfg --query_mdms --file /etc/emc/scaleio/drv_cfg.txt|grep 1.1.1.1"), Mockito.eq(ScaleIOUtil.DEFAULT_TIMEOUT_MS)))
+                .thenReturn("MDM-ID 71fd458f0775010f SDC ID 4421a91a00000000 INSTALLATION ID 204930df2cbcaf8e IPs [0]-1.1.1.1 [1]-2.2.2.2");
         when(Script.executeCommand(Mockito.eq("/opt/emc/scaleio/sdc/bin/drv_cfg"))).thenReturn(new Pair<>(null, null));
         when(Script.executeCommand(Mockito.eq("/opt/emc/scaleio/sdc/bin/drv_cfg --query_vols"))).thenReturn(new Pair<>("", null));
 
-
         Pair<Boolean, String> result = scaleIOStorageAdaptor.unprepareStorageClient(poolUuid, details);
 
         Assert.assertFalse(result.first());
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/storage/ScaleIOStoragePoolTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/storage/ScaleIOStoragePoolTest.java
index ba6f9ce4b0a..d520a03c79c 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/storage/ScaleIOStoragePoolTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/storage/ScaleIOStoragePoolTest.java
@@ -95,9 +95,8 @@ public class ScaleIOStoragePoolTest {
         details.put(ScaleIOGatewayClient.STORAGE_POOL_SYSTEM_ID, systemId);
 
         try (MockedStatic<Script> ignored = Mockito.mockStatic(Script.class)) {
-            when(Script.runSimpleBashScript(
-                    "/opt/emc/scaleio/sdc/bin/drv_cfg --query_mdms|grep 218ce1797566a00f|awk '{print $5}'")).thenReturn(
-                    sdcId);
+            when(Script.runSimpleBashScript(Mockito.eq("/opt/emc/scaleio/sdc/bin/drv_cfg --query_mdms --file /etc/emc/scaleio/drv_cfg.txt|grep 218ce1797566a00f|awk '{print $5}'"), Mockito.eq(ScaleIOUtil.DEFAULT_TIMEOUT_MS)))
+                    .thenReturn(sdcId);
 
             ScaleIOStoragePool pool1 = new ScaleIOStoragePool(uuid, "192.168.1.19", 443, "a519be2f00000000", type,
                     details, adapter);
@@ -116,10 +115,10 @@ public class ScaleIOStoragePoolTest {
         details.put(ScaleIOGatewayClient.STORAGE_POOL_SYSTEM_ID, systemId);
 
         try (MockedStatic<Script> ignored = Mockito.mockStatic(Script.class)) {
-            when(Script.runSimpleBashScript(
-                    "/opt/emc/scaleio/sdc/bin/drv_cfg --query_mdms|grep 218ce1797566a00f|awk '{print $5}'")).thenReturn(
-                    null);
-            when(Script.runSimpleBashScript("/opt/emc/scaleio/sdc/bin/drv_cfg --query_guid")).thenReturn(sdcGuid);
+            when(Script.runSimpleBashScript(Mockito.eq("/opt/emc/scaleio/sdc/bin/drv_cfg --query_mdms --file /etc/emc/scaleio/drv_cfg.txt|grep 218ce1797566a00f|awk '{print $5}'"), Mockito.eq(ScaleIOUtil.DEFAULT_TIMEOUT_MS)))
+                    .thenReturn(null);
+            when(Script.runSimpleBashScript(Mockito.eq("/opt/emc/scaleio/sdc/bin/drv_cfg --query_guid --file /etc/emc/scaleio/drv_cfg.txt"), Mockito.eq(ScaleIOUtil.DEFAULT_TIMEOUT_MS)))
+                    .thenReturn(sdcGuid);
 
             ScaleIOStoragePool pool1 = new ScaleIOStoragePool(uuid, "192.168.1.19", 443, "a519be2f00000000", type,
                     details, adapter);
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterAffinityGroupMapVO.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterAffinityGroupMapVO.java
new file mode 100644
index 00000000000..19babc86690
--- /dev/null
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterAffinityGroupMapVO.java
@@ -0,0 +1,83 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.kubernetes.cluster;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+
+import org.apache.cloudstack.api.InternalIdentity;
+
+@Entity
+@Table(name = "kubernetes_cluster_affinity_group_map")
+public class KubernetesClusterAffinityGroupMapVO implements InternalIdentity {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    private Long id;
+
+    @Column(name = "cluster_id")
+    private long clusterId;
+
+    @Column(name = "node_type")
+    private String nodeType;
+
+    @Column(name = "affinity_group_id")
+    private long affinityGroupId;
+
+    public KubernetesClusterAffinityGroupMapVO() {
+    }
+
+    public KubernetesClusterAffinityGroupMapVO(long clusterId, String nodeType, long affinityGroupId) {
+        this.clusterId = clusterId;
+        this.nodeType = nodeType;
+        this.affinityGroupId = affinityGroupId;
+    }
+
+    @Override
+    public long getId() {
+        return id;
+    }
+
+    public long getClusterId() {
+        return clusterId;
+    }
+
+    public void setClusterId(long clusterId) {
+        this.clusterId = clusterId;
+    }
+
+    public String getNodeType() {
+        return nodeType;
+    }
+
+    public void setNodeType(String nodeType) {
+        this.nodeType = nodeType;
+    }
+
+    public long getAffinityGroupId() {
+        return affinityGroupId;
+    }
+
+    public void setAffinityGroupId(long affinityGroupId) {
+        this.affinityGroupId = affinityGroupId;
+    }
+}
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterEventTypes.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterEventTypes.java
index 486a093e4ad..d11a0fc3dea 100755
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterEventTypes.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterEventTypes.java
@@ -25,4 +25,5 @@ public class KubernetesClusterEventTypes {
     public static final String EVENT_KUBERNETES_CLUSTER_UPGRADE = "KUBERNETES.CLUSTER.UPGRADE";
     public static final String EVENT_KUBERNETES_CLUSTER_NODES_ADD = "KUBERNETES.CLUSTER.NODES.ADD";
     public static final String EVENT_KUBERNETES_CLUSTER_NODES_REMOVE = "KUBERNETES.CLUSTER.NODES.REMOVE";
+    public static final String EVENT_KUBERNETES_CLUSTER_AFFINITY_UPDATE = "KUBERNETES.CLUSTER.AFFINITY.UPDATE";
 }
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java
index d19470f8bab..fea20eb124f 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java
@@ -49,6 +49,7 @@ import javax.naming.ConfigurationException;
 
 import com.cloud.configuration.Resource;
 import com.cloud.user.ResourceLimitService;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.Role;
 import org.apache.cloudstack.acl.RolePermissionEntity;
@@ -57,7 +58,9 @@ import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.Rule;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.affinity.AffinityGroupVO;
+import org.apache.cloudstack.affinity.AffinityProcessorBase;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
+import org.apache.cloudstack.affinity.dao.AffinityGroupVMMapDao;
 import org.apache.cloudstack.annotation.AnnotationService;
 import org.apache.cloudstack.annotation.dao.AnnotationDao;
 import org.apache.cloudstack.api.ApiCommandResourceType;
@@ -86,6 +89,7 @@ import org.apache.cloudstack.api.command.user.kubernetes.cluster.RemoveVirtualMa
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.ScaleKubernetesClusterCmd;
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.StartKubernetesClusterCmd;
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.StopKubernetesClusterCmd;
+import org.apache.cloudstack.api.command.user.kubernetes.cluster.UpdateKubernetesClusterAffinityGroupCmd;
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.UpgradeKubernetesClusterCmd;
 import org.apache.cloudstack.api.command.user.loadbalancer.AssignToLoadBalancerRuleCmd;
 import org.apache.cloudstack.api.command.user.loadbalancer.CreateLoadBalancerRuleCmd;
@@ -169,6 +173,7 @@ import com.cloud.kubernetes.cluster.actionworkers.KubernetesClusterScaleWorker;
 import com.cloud.kubernetes.cluster.actionworkers.KubernetesClusterStartWorker;
 import com.cloud.kubernetes.cluster.actionworkers.KubernetesClusterStopWorker;
 import com.cloud.kubernetes.cluster.actionworkers.KubernetesClusterUpgradeWorker;
+import com.cloud.kubernetes.cluster.dao.KubernetesClusterAffinityGroupMapDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterDetailsDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterVmMapDao;
@@ -315,6 +320,8 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
     @Inject
     public KubernetesClusterDetailsDao kubernetesClusterDetailsDao;
     @Inject
+    public KubernetesClusterAffinityGroupMapDao kubernetesClusterAffinityGroupMapDao;
+    @Inject
     public KubernetesSupportedVersionDao kubernetesSupportedVersionDao;
     @Inject
     protected SSHKeyPairDao sshKeyPairDao;
@@ -329,6 +336,8 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
     @Inject
     protected AffinityGroupDao affinityGroupDao;
     @Inject
+    protected AffinityGroupVMMapDao affinityGroupVMMapDao;
+    @Inject
     protected ServiceOfferingDao serviceOfferingDao;
     @Inject
     protected UserDataDao userDataDao;
@@ -698,8 +707,8 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
             } else if (Objects.nonNull(domainId)) {
                 dedicatedHosts = dedicatedResourceDao.listByDomainId(domainId);
             }
-            for (DedicatedResourceVO dedicatedHost : dedicatedHosts) {
-                hosts.add(hostDao.findById(dedicatedHost.getHostId()));
+            for (DedicatedResourceVO dedicatedResource : dedicatedHosts) {
+                hosts.addAll(getHostsForDedicatedResource(dedicatedResource, zone));
                 useDedicatedHosts = true;
             }
         }
@@ -767,6 +776,23 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
         throw new InsufficientServerCapacityException(msg, DataCenter.class, zone.getId());
     }
 
+    public List<HostVO> getHostsForDedicatedResource(DedicatedResourceVO dedicatedResource, DataCenter zone) {
+        if (dedicatedResource.getHostId() != null) {
+            HostVO host = hostDao.findById(dedicatedResource.getHostId());
+            return host != null ? List.of(host) : Collections.emptyList();
+        }
+        if (dedicatedResource.getClusterId() != null) {
+            return hostDao.findByClusterId(dedicatedResource.getClusterId());
+        }
+        if (dedicatedResource.getPodId() != null) {
+            return hostDao.findByPodId(dedicatedResource.getPodId(), Host.Type.Routing);
+        }
+        if (dedicatedResource.getDataCenterId() != null) {
+            return resourceManager.listAllHostsInOneZoneByType(Host.Type.Routing, dedicatedResource.getDataCenterId());
+        }
+        return Collections.emptyList();
+    }
+
     protected void setNodeTypeServiceOfferingResponse(KubernetesClusterResponse response,
                                                       KubernetesClusterNodeType nodeType,
                                                       Long offeringId) {
@@ -858,24 +884,38 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
 
         List<KubernetesUserVmResponse> vmResponses = new ArrayList<>();
         List<KubernetesClusterVmMapVO> vmList = kubernetesClusterVmMapDao.listByClusterId(kubernetesCluster.getId());
-        ResponseView respView = ResponseView.Restricted;
+        ResponseView userVmResponseView = ResponseView.Restricted;
         Account caller = CallContext.current().getCallingAccount();
         if (accountService.isRootAdmin(caller.getId())) {
-            respView = ResponseView.Full;
+            userVmResponseView = ResponseView.Full;
         }
         final String responseName = "virtualmachine";
         if (vmList != null && !vmList.isEmpty()) {
-            for (KubernetesClusterVmMapVO vmMapVO : vmList) {
-                UserVmJoinVO userVM = userVmJoinDao.findById(vmMapVO.getVmId());
-                if (userVM != null) {
-                    UserVmResponse vmResponse = ApiDBUtils.newUserVmResponse(respView, responseName, userVM,
-                        EnumSet.of(VMDetails.nics), caller);
+            Map<Long, KubernetesClusterVmMapVO> vmMapById = vmList.stream()
+                    .collect(Collectors.toMap(KubernetesClusterVmMapVO::getVmId, vm -> vm));
+            Long[] vmIds = vmMapById.keySet().toArray(new Long[0]);
+            List<UserVmJoinVO> userVmJoinVOs = userVmJoinDao.searchByIds(vmIds);
+            if (userVmJoinVOs != null && !userVmJoinVOs.isEmpty()) {
+                Map<Long, UserVmResponse> vmResponseMap = new HashMap<>();
+                for (UserVmJoinVO userVM : userVmJoinVOs) {
+                    Long vmId = userVM.getId();
+                    UserVmResponse vmResponse = vmResponseMap.get(vmId);
+                    if (vmResponse == null) {
+                        vmResponse = ApiDBUtils.newUserVmResponse(userVmResponseView, responseName, userVM,
+                                EnumSet.of(VMDetails.nics, VMDetails.affgrp), caller);
+                        vmResponseMap.put(vmId, vmResponse);
+                    } else {
+                        ApiDBUtils.fillVmDetails(userVmResponseView, vmResponse, userVM);
+                    }
+                }
+                for (Map.Entry<Long, UserVmResponse> vmIdResponseEntry : vmResponseMap.entrySet()) {
                     KubernetesUserVmResponse kubernetesUserVmResponse = new KubernetesUserVmResponse();
                     try {
-                        BeanUtils.copyProperties(kubernetesUserVmResponse, vmResponse);
+                        BeanUtils.copyProperties(kubernetesUserVmResponse, vmIdResponseEntry.getValue());
                     } catch (IllegalAccessException | InvocationTargetException e) {
                         throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to generate zone metrics response");
                     }
+                    KubernetesClusterVmMapVO vmMapVO = vmMapById.get(vmIdResponseEntry.getKey());
                     kubernetesUserVmResponse.setExternalNode(vmMapVO.isExternalNode());
                     kubernetesUserVmResponse.setEtcdNode(vmMapVO.isEtcdNode());
                     kubernetesUserVmResponse.setNodeVersion(vmMapVO.getNodeVersion());
@@ -905,10 +945,45 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
         response.setClusterType(kubernetesCluster.getClusterType());
         response.setCsiEnabled(kubernetesCluster.isCsiEnabled());
         response.setCreated(kubernetesCluster.getCreated());
+        setNodeTypeAffinityGroupResponse(response, kubernetesCluster.getId());
 
         return response;
     }
 
+    protected void setNodeTypeAffinityGroupResponse(KubernetesClusterResponse response, long clusterId) {
+        setAffinityGroupResponseForNodeType(response, clusterId, CONTROL.name());
+        setAffinityGroupResponseForNodeType(response, clusterId, WORKER.name());
+        setAffinityGroupResponseForNodeType(response, clusterId, ETCD.name());
+    }
+
+    protected void setAffinityGroupResponseForNodeType(KubernetesClusterResponse response, long clusterId, String nodeType) {
+        List<Long> affinityGroupIds = kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(clusterId, nodeType);
+        if (CollectionUtils.isEmpty(affinityGroupIds)) {
+            return;
+        }
+        List<String> affinityGroupUuids = new ArrayList<>();
+        List<String> affinityGroupNames = new ArrayList<>();
+        for (Long affinityGroupId : affinityGroupIds) {
+            AffinityGroupVO affinityGroup = affinityGroupDao.findById(affinityGroupId);
+            if (affinityGroup != null) {
+                affinityGroupUuids.add(affinityGroup.getUuid());
+                affinityGroupNames.add(affinityGroup.getName());
+            }
+        }
+        String affinityGroupUuidsCsv = String.join(",", affinityGroupUuids);
+        String affinityGroupNamesCsv = String.join(",", affinityGroupNames);
+        if (CONTROL.name().equals(nodeType)) {
+            response.setControlAffinityGroupIds(affinityGroupUuidsCsv);
+            response.setControlAffinityGroupNames(affinityGroupNamesCsv);
+        } else if (WORKER.name().equals(nodeType)) {
+            response.setWorkerAffinityGroupIds(affinityGroupUuidsCsv);
+            response.setWorkerAffinityGroupNames(affinityGroupNamesCsv);
+        } else if (ETCD.name().equals(nodeType)) {
+            response.setEtcdAffinityGroupIds(affinityGroupUuidsCsv);
+            response.setEtcdAffinityGroupNames(affinityGroupNamesCsv);
+        }
+    }
+
     private DataCenter validateAndGetZoneForKubernetesCreateParameters(Long zoneId, Long networkId) {
         DataCenter zone = dataCenterDao.findById(zoneId);
         if (zone == null) {
@@ -1190,6 +1265,20 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
         return network;
     }
 
+    private void persistAffinityGroupMappings(long clusterId, Map<String, List<Long>> affinityGroupNodeTypeMap) {
+        if (MapUtils.isEmpty(affinityGroupNodeTypeMap)) {
+            return;
+        }
+        for (Map.Entry<String, List<Long>> nodeTypeAffinityGroupEntry : affinityGroupNodeTypeMap.entrySet()) {
+            String nodeType = nodeTypeAffinityGroupEntry.getKey();
+            List<Long> affinityGroupIds = nodeTypeAffinityGroupEntry.getValue();
+            for (Long affinityGroupId : affinityGroupIds) {
+                kubernetesClusterAffinityGroupMapDao.persist(
+                    new KubernetesClusterAffinityGroupMapVO(clusterId, nodeType, affinityGroupId));
+            }
+        }
+    }
+
     private void addKubernetesClusterDetails(final KubernetesCluster kubernetesCluster, final Network network, final CreateKubernetesClusterCmd cmd) {
         final String externalLoadBalancerIpAddress = cmd.getExternalLoadBalancerIpAddress();
         final String dockerRegistryUserName = cmd.getDockerRegistryUserName();
@@ -1629,6 +1718,7 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
         }
 
         Map<String, Long> templateNodeTypeMap = cmd.getTemplateNodeTypeMap();
+        Map<String, List<Long>> affinityGroupNodeTypeMap = cmd.getAffinityGroupNodeTypeMap();
         final VMTemplateVO finalTemplate = getKubernetesServiceTemplate(zone, hypervisorType, templateNodeTypeMap, DEFAULT, clusterKubernetesVersion);
         final VMTemplateVO controlNodeTemplate = getKubernetesServiceTemplate(zone, hypervisorType, templateNodeTypeMap, CONTROL, clusterKubernetesVersion);
         final VMTemplateVO workerNodeTemplate = getKubernetesServiceTemplate(zone, hypervisorType, templateNodeTypeMap, WORKER, clusterKubernetesVersion);
@@ -1674,6 +1764,7 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
                 }
                 newCluster.setCsiEnabled(cmd.getEnableCsi());
                 kubernetesClusterDao.persist(newCluster);
+                persistAffinityGroupMappings(newCluster.getId(), affinityGroupNodeTypeMap);
                 addKubernetesClusterDetails(newCluster, defaultNetwork, cmd);
                 return newCluster;
             }
@@ -1890,12 +1981,12 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
                     KUBEADMIN_ACCOUNT_NAME, "kubeadmin", null, UUID.randomUUID().toString(), User.Source.UNKNOWN));
             keys = createUserApiKeyAndSecretKey(kube.getId());
         } else {
-            String apiKey = kubeadmin.getApiKey();
-            String secretKey = kubeadmin.getSecretKey();
-            if (StringUtils.isAnyEmpty(apiKey, secretKey)) {
+            ApiKeyPairVO latestKeypair = ApiDBUtils.searchForLatestUserKeyPair(kubeadmin.getId());
+
+            if (latestKeypair == null) {
                 keys = createUserApiKeyAndSecretKey(kubeadmin.getId());
             } else {
-                keys = new String[]{apiKey, secretKey};
+                keys = new String[]{latestKeypair.getApiKey(), latestKeypair.getSecretKey()};
             }
         }
         return keys;
@@ -2230,6 +2321,94 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
         return upgradeWorker.upgradeCluster();
     }
 
+    @Override
+    @ActionEvent(eventType = KubernetesClusterEventTypes.EVENT_KUBERNETES_CLUSTER_AFFINITY_UPDATE,
+            eventDescription = "updating Kubernetes cluster affinity groups")
+    public boolean updateKubernetesClusterAffinityGroups(UpdateKubernetesClusterAffinityGroupCmd cmd) throws CloudRuntimeException {
+        if (!KubernetesServiceEnabled.value()) {
+            logAndThrow(Level.ERROR, "Kubernetes Service plugin is disabled");
+        }
+        KubernetesClusterVO kubernetesCluster = validateClusterForAffinityGroupUpdate(cmd.getId());
+        Map<String, List<Long>> affinityGroupNodeTypeMap = cmd.getAffinityGroupNodeTypeMap();
+        validateNodeAffinityGroups(affinityGroupNodeTypeMap, kubernetesCluster.getAccountId());
+
+        final Long clusterId = kubernetesCluster.getId();
+        Transaction.execute(new TransactionCallbackNoReturn() {
+            @Override
+            public void doInTransactionWithoutResult(TransactionStatus status) {
+                kubernetesClusterAffinityGroupMapDao.removeByClusterId(clusterId);
+                persistAffinityGroupMappings(clusterId, affinityGroupNodeTypeMap);
+                syncVmAffinityGroups(clusterId, affinityGroupNodeTypeMap);
+            }
+        });
+        logger.info("Updated affinity groups for Kubernetes cluster {}", kubernetesCluster.getName());
+        return true;
+    }
+
+    private KubernetesClusterVO validateClusterForAffinityGroupUpdate(Long clusterId) {
+        KubernetesClusterVO kubernetesCluster = kubernetesClusterDao.findById(clusterId);
+        if (Objects.isNull(kubernetesCluster) || Objects.nonNull(kubernetesCluster.getRemoved())) {
+            throw new InvalidParameterValueException("Invalid Kubernetes cluster ID");
+        }
+        if (!KubernetesCluster.ClusterType.CloudManaged.equals(kubernetesCluster.getClusterType())) {
+            throw new InvalidParameterValueException("Affinity groups can only be updated for CloudManaged Kubernetes clusters");
+        }
+        if (!KubernetesCluster.State.Stopped.equals(kubernetesCluster.getState())) {
+            throw new InvalidParameterValueException(String.format(
+                    "Kubernetes cluster %s must be stopped before updating affinity groups (current state: %s)",
+                    kubernetesCluster.getName(), kubernetesCluster.getState()));
+        }
+        accountManager.checkAccess(CallContext.current().getCallingAccount(),
+                SecurityChecker.AccessType.OperateEntry, false, kubernetesCluster);
+        return kubernetesCluster;
+    }
+
+    private void validateNodeAffinityGroups(Map<String, List<Long>> affinityGroupNodeTypeMap, long ownerAccountId) {
+        if (MapUtils.isEmpty(affinityGroupNodeTypeMap)) {
+            return;
+        }
+        Account owner = accountDao.findById(ownerAccountId);
+        for (List<Long> affinityGroupIds : affinityGroupNodeTypeMap.values()) {
+            for (Long affinityGroupId : affinityGroupIds) {
+                AffinityGroupVO affinityGroup = affinityGroupDao.findById(affinityGroupId);
+                if (Objects.isNull(affinityGroup)) {
+                    throw new InvalidParameterValueException("Unable to find affinity group with ID: " + affinityGroupId);
+                }
+                if (affinityGroup.getAccountId() != owner.getAccountId()) {
+                    throw new InvalidParameterValueException(String.format(
+                            "Affinity group %s does not belong to the cluster owner account %s",
+                            affinityGroup.getName(), owner.getAccountName()));
+                }
+            }
+        }
+    }
+
+    private void syncVmAffinityGroups(Long clusterId, Map<String, List<Long>> affinityGroupNodeTypeMap) {
+        List<KubernetesClusterVmMapVO> clusterVmMappings = kubernetesClusterVmMapDao.listByClusterId(clusterId);
+        if (CollectionUtils.isEmpty(clusterVmMappings)) {
+            return;
+        }
+        Map<String, List<Long>> nodeTypeAffinityMap = MapUtils.isEmpty(affinityGroupNodeTypeMap)
+                ? Collections.emptyMap() : affinityGroupNodeTypeMap;
+        for (KubernetesClusterVmMapVO clusterVmMapping : clusterVmMappings) {
+            if (clusterVmMapping.isExternalNode()) {
+                continue;
+            }
+            String nodeType = getNodeType(clusterVmMapping);
+            affinityGroupVMMapDao.updateMap(clusterVmMapping.getVmId(),
+                    nodeTypeAffinityMap.getOrDefault(nodeType, Collections.emptyList()));
+        }
+    }
+
+    private String getNodeType(KubernetesClusterVmMapVO clusterVmMapping) {
+        if (clusterVmMapping.isControlNode()) {
+            return CONTROL.name();
+        } else if (clusterVmMapping.isEtcdNode()) {
+            return ETCD.name();
+        }
+        return WORKER.name();
+    }
+
     private void updateNodeCount(KubernetesClusterVO kubernetesCluster) {
         List<KubernetesClusterVmMapVO> nodeList = kubernetesClusterVmMapDao.listByClusterId(kubernetesCluster.getId());
         kubernetesCluster.setControlNodeCount(nodeList.stream().filter(KubernetesClusterVmMapVO::isControlNode).count());
@@ -2291,6 +2470,7 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
         if (validNodeIds.isEmpty()) {
             throw new CloudRuntimeException("No valid nodes found to be added to the Kubernetes cluster");
         }
+        validateNodeAffinityGroups(validNodeIds, kubernetesCluster);
         KubernetesClusterAddWorker addWorker = new KubernetesClusterAddWorker(kubernetesCluster, KubernetesClusterManagerImpl.this);
         addWorker = ComponentContext.inject(addWorker);
         return addWorker.addNodesToCluster(validNodeIds, cmd.isMountCksIsoOnVr(), cmd.isManualUpgrade());
@@ -2350,6 +2530,98 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
         return validNodeIds;
     }
 
+    protected void validateNodeAffinityGroups(List<Long> nodeIds, KubernetesCluster cluster) {
+        List<Long> workerAffinityGroupIds = kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(
+                cluster.getId(), WORKER.name());
+        if (CollectionUtils.isEmpty(workerAffinityGroupIds)) {
+            return;
+        }
+
+        Set<Long> existingWorkerHostIds = getExistingWorkerHostIds(cluster);
+
+        for (Long affinityGroupId : workerAffinityGroupIds) {
+            AffinityGroupVO affinityGroup = affinityGroupDao.findById(affinityGroupId);
+            if (affinityGroup == null) {
+                continue;
+            }
+
+            validateNodesAgainstExistingWorkers(nodeIds, existingWorkerHostIds, affinityGroup, cluster);
+            validateNewNodesAntiAffinity(nodeIds, affinityGroup, cluster);
+        }
+    }
+
+    protected Set<Long> getExistingWorkerHostIds(KubernetesCluster cluster) {
+        List<KubernetesClusterVmMapVO> existingWorkerVms = kubernetesClusterVmMapDao.listByClusterIdAndVmType(cluster.getId(), WORKER);
+        Set<Long> existingWorkerHostIds = new HashSet<>();
+        for (KubernetesClusterVmMapVO workerVmMap : existingWorkerVms) {
+            VMInstanceVO workerVm = vmInstanceDao.findById(workerVmMap.getVmId());
+            if (workerVm != null && workerVm.getHostId() != null) {
+                existingWorkerHostIds.add(workerVm.getHostId());
+            }
+        }
+        return existingWorkerHostIds;
+    }
+
+    protected void validateNodesAgainstExistingWorkers(List<Long> nodeIds, Set<Long> existingWorkerHostIds,
+                                                       AffinityGroupVO affinityGroup, KubernetesCluster cluster) {
+        for (Long nodeId : nodeIds) {
+            VMInstanceVO node = vmInstanceDao.findById(nodeId);
+            if (node == null || node.getHostId() == null) {
+                continue;
+            }
+            Long nodeHostId = node.getHostId();
+            String nodeHostName = getHostName(nodeHostId);
+
+            if (AffinityProcessorBase.AFFINITY_TYPE_HOST_ANTI.equals(affinityGroup.getType())) {
+                if (existingWorkerHostIds.contains(nodeHostId)) {
+                    throw new InvalidParameterValueException(String.format(
+                            "Cannot add VM %s to cluster %s. VM is running on host %s which violates the cluster's " +
+                            "host anti-affinity rule (affinity group: %s). Existing worker VMs are already running on this host.",
+                            node.getInstanceName(), cluster.getName(), nodeHostName, affinityGroup.getName()));
+                }
+            } else if (AffinityProcessorBase.AFFINITY_TYPE_HOST.equals(affinityGroup.getType())) {
+                if (!existingWorkerHostIds.isEmpty() && !existingWorkerHostIds.contains(nodeHostId)) {
+                    List<String> existingHostNames = existingWorkerHostIds.stream()
+                            .map(this::getHostName)
+                            .collect(Collectors.toList());
+                    throw new InvalidParameterValueException(String.format(
+                            "Cannot add VM %s to cluster %s. VM is running on host %s which violates the cluster's " +
+                            "host affinity rule (affinity group: %s). All worker VMs must run on the same host. " +
+                            "Existing workers are on host(s): %s.",
+                            node.getInstanceName(), cluster.getName(), nodeHostName, affinityGroup.getName(),
+                            String.join(", ", existingHostNames)));
+                }
+            }
+        }
+    }
+
+    protected void validateNewNodesAntiAffinity(List<Long> nodeIds, AffinityGroupVO affinityGroup, KubernetesCluster cluster) {
+        if (!AffinityProcessorBase.AFFINITY_TYPE_HOST_ANTI.equals(affinityGroup.getType())) {
+            return;
+        }
+
+        Set<Long> newNodeHostIds = new HashSet<>();
+        for (Long nodeId : nodeIds) {
+            VMInstanceVO node = vmInstanceDao.findById(nodeId);
+            if (node != null && node.getHostId() != null) {
+                Long nodeHostId = node.getHostId();
+                if (newNodeHostIds.contains(nodeHostId)) {
+                    String nodeHostName = getHostName(nodeHostId);
+                    throw new InvalidParameterValueException(String.format(
+                            "Cannot add VM %s to cluster %s. Multiple VMs being added are running on the same host %s, " +
+                            "which violates the cluster's host anti-affinity rule (affinity group: %s).",
+                            node.getInstanceName(), cluster.getName(), nodeHostName, affinityGroup.getName()));
+                }
+                newNodeHostIds.add(nodeHostId);
+            }
+        }
+    }
+
+    protected String getHostName(Long hostId) {
+        HostVO host = hostDao.findById(hostId);
+        return host != null ? host.getName() : String.valueOf(hostId);
+    }
+
     @Override
     public List<RemoveVirtualMachinesFromKubernetesClusterResponse> removeVmsFromCluster(RemoveVirtualMachinesFromKubernetesClusterCmd cmd) {
         if (!KubernetesServiceEnabled.value()) {
@@ -2486,6 +2758,7 @@ public class KubernetesClusterManagerImpl extends ManagerBase implements Kuberne
         cmdList.add(RemoveVirtualMachinesFromKubernetesClusterCmd.class);
         cmdList.add(AddNodesToKubernetesClusterCmd.class);
         cmdList.add(RemoveNodesFromKubernetesClusterCmd.class);
+        cmdList.add(UpdateKubernetesClusterAffinityGroupCmd.class);
         return cmdList;
     }
 
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterService.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterService.java
index 6bdb4265e01..1d19127dc54 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterService.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterService.java
@@ -32,6 +32,7 @@ import org.apache.cloudstack.api.command.user.kubernetes.cluster.RemoveVirtualMa
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.ScaleKubernetesClusterCmd;
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.StartKubernetesClusterCmd;
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.StopKubernetesClusterCmd;
+import org.apache.cloudstack.api.command.user.kubernetes.cluster.UpdateKubernetesClusterAffinityGroupCmd;
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.UpgradeKubernetesClusterCmd;
 import org.apache.cloudstack.api.response.KubernetesClusterConfigResponse;
 import org.apache.cloudstack.api.response.KubernetesClusterResponse;
@@ -171,6 +172,8 @@ public interface KubernetesClusterService extends PluggableService, Configurable
 
     boolean upgradeKubernetesCluster(UpgradeKubernetesClusterCmd cmd) throws CloudRuntimeException;
 
+    boolean updateKubernetesClusterAffinityGroups(UpdateKubernetesClusterAffinityGroupCmd cmd) throws CloudRuntimeException;
+
     boolean addVmsToCluster(AddVirtualMachinesToKubernetesClusterCmd cmd);
 
     boolean addNodesToKubernetesCluster(AddNodesToKubernetesClusterCmd cmd);
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelperImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelperImpl.java
index 30465c99780..9faeb56aea4 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelperImpl.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesServiceHelperImpl.java
@@ -18,12 +18,16 @@ package com.cloud.kubernetes.cluster;
 
 import java.lang.reflect.Field;
 import java.lang.reflect.Modifier;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 
 import javax.inject.Inject;
 
+import org.apache.cloudstack.affinity.AffinityGroup;
+import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.offering.ServiceOffering;
 import com.cloud.service.dao.ServiceOfferingDao;
@@ -66,6 +70,8 @@ public class KubernetesServiceHelperImpl extends AdapterBase implements Kubernet
     @Inject
     protected VMTemplateDao vmTemplateDao;
     @Inject
+    protected AffinityGroupDao affinityGroupDao;
+    @Inject
     KubernetesClusterService kubernetesClusterService;
 
     protected void setEventTypeEntityDetails(Class<?> eventTypeDefinedClass, Class<?> entityClass) {
@@ -123,6 +129,27 @@ public class KubernetesServiceHelperImpl extends AdapterBase implements Kubernet
         throw new CloudRuntimeException(msg);
     }
 
+    @Override
+    public void checkVmAffinityGroupsCanBeUpdated(UserVm userVm) {
+        if (!UserVmManager.CKS_NODE.equals(userVm.getUserVmType())) {
+            return;
+        }
+        KubernetesClusterVmMapVO clusterVmMapping = kubernetesClusterVmMapDao.findByVmId(userVm.getId());
+        if (Objects.isNull(clusterVmMapping)) {
+            return;
+        }
+        KubernetesCluster kubernetesCluster = kubernetesClusterDao.findById(clusterVmMapping.getClusterId());
+        String errorMessage = "Affinity groups cannot be updated for a VM part of Kubernetes cluster";
+        if (Objects.nonNull(kubernetesCluster)) {
+            if (KubernetesCluster.ClusterType.ExternalManaged.equals(kubernetesCluster.getClusterType())) {
+                return;
+            }
+            errorMessage += String.format(": %s", kubernetesCluster.getName());
+        }
+        errorMessage += ". Please use the cluster's Change Affinity option instead.";
+        throw new CloudRuntimeException(errorMessage);
+    }
+
     @Override
     public boolean isValidNodeType(String nodeType) {
         if (StringUtils.isBlank(nodeType)) {
@@ -244,6 +271,81 @@ public class KubernetesServiceHelperImpl extends AdapterBase implements Kubernet
         return mapping;
     }
 
+    protected void checkNodeTypeAffinityGroupEntryCompleteness(String nodeType, String affinityGroupUuids) {
+        if (StringUtils.isAnyBlank(nodeType, affinityGroupUuids)) {
+            String error = String.format("Any Node Type to Affinity Group entry should have valid '%s' and '%s' values",
+                    VmDetailConstants.CKS_NODE_TYPE, VmDetailConstants.AFFINITY_GROUP);
+            logger.error(error);
+            throw new InvalidParameterValueException(error);
+        }
+    }
+
+    protected void checkNodeTypeAffinityGroupEntryNodeType(String nodeType) {
+        if (!isValidNodeType(nodeType)) {
+            String error = String.format("The provided value '%s' for Node Type is invalid", nodeType);
+            logger.error(error);
+            throw new InvalidParameterValueException(error);
+        }
+    }
+
+    protected Long validateAffinityGroupUuidAndGetId(String affinityGroupUuid) {
+        if (StringUtils.isBlank(affinityGroupUuid)) {
+            String error = "Empty affinity group UUID provided";
+            logger.error(error);
+            throw new InvalidParameterValueException(error);
+        }
+        AffinityGroup affinityGroup = affinityGroupDao.findByUuid(affinityGroupUuid);
+        if (affinityGroup == null) {
+            String error = String.format("Cannot find an affinity group with ID %s", affinityGroupUuid);
+            logger.error(error);
+            throw new InvalidParameterValueException(error);
+        }
+        return affinityGroup.getId();
+    }
+
+    protected List<Long> validateAndGetAffinityGroupIds(String affinityGroupUuids) {
+        String[] uuids = affinityGroupUuids.split(",");
+        List<Long> affinityGroupIds = new ArrayList<>();
+        for (String uuid : uuids) {
+            String trimmedUuid = uuid.trim();
+            Long affinityGroupId = validateAffinityGroupUuidAndGetId(trimmedUuid);
+            affinityGroupIds.add(affinityGroupId);
+        }
+        return affinityGroupIds;
+    }
+
+    protected void addNodeTypeAffinityGroupEntry(String nodeType, List<Long> affinityGroupIds, Map<String, List<Long>> nodeTypeToAffinityGroupIds) {
+        if (logger.isDebugEnabled()) {
+            logger.debug(String.format("Node Type: '%s' should use affinity group IDs: '%s'", nodeType, affinityGroupIds));
+        }
+        KubernetesClusterNodeType clusterNodeType = KubernetesClusterNodeType.valueOf(nodeType.toUpperCase());
+        nodeTypeToAffinityGroupIds.put(clusterNodeType.name(), affinityGroupIds);
+    }
+
+    protected void processNodeTypeAffinityGroupEntryAndAddToMappingIfValid(Map<String, String> nodeTypeAffinityConfig, Map<String, List<Long>> nodeTypeToAffinityGroupIds) {
+        if (MapUtils.isEmpty(nodeTypeAffinityConfig)) {
+            return;
+        }
+        String nodeType = nodeTypeAffinityConfig.get(VmDetailConstants.CKS_NODE_TYPE);
+        String affinityGroupUuids = nodeTypeAffinityConfig.get(VmDetailConstants.AFFINITY_GROUP);
+        checkNodeTypeAffinityGroupEntryCompleteness(nodeType, affinityGroupUuids);
+        checkNodeTypeAffinityGroupEntryNodeType(nodeType);
+
+        List<Long> affinityGroupIds = validateAndGetAffinityGroupIds(affinityGroupUuids);
+        addNodeTypeAffinityGroupEntry(nodeType, affinityGroupIds, nodeTypeToAffinityGroupIds);
+    }
+
+    @Override
+    public Map<String, List<Long>> getAffinityGroupNodeTypeMap(Map<String, Map<String, String>> affinityGroupNodeTypeMap) {
+        Map<String, List<Long>> nodeTypeToAffinityGroupIds = new HashMap<>();
+        if (MapUtils.isNotEmpty(affinityGroupNodeTypeMap)) {
+            for (Map<String, String> nodeTypeAffinityConfig : affinityGroupNodeTypeMap.values()) {
+                processNodeTypeAffinityGroupEntryAndAddToMappingIfValid(nodeTypeAffinityConfig, nodeTypeToAffinityGroupIds);
+            }
+        }
+        return nodeTypeToAffinityGroupIds;
+    }
+
     public void cleanupForAccount(Account account) {
         kubernetesClusterService.cleanupForAccount(account);
     }
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterActionWorker.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterActionWorker.java
index 1d4b6e8d0a8..4fcf6fa7686 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterActionWorker.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterActionWorker.java
@@ -28,9 +28,11 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.stream.Collectors;
 
@@ -63,7 +65,9 @@ import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.dao.NicDao;
 import com.cloud.vm.UserVmManager;
 import org.apache.cloudstack.affinity.AffinityGroupVO;
+import org.apache.cloudstack.affinity.AffinityProcessorBase;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
+import org.apache.cloudstack.affinity.dao.AffinityGroupVMMapDao;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.command.user.firewall.CreateFirewallRuleCmd;
@@ -90,6 +94,7 @@ import com.cloud.kubernetes.cluster.KubernetesClusterDetailsVO;
 import com.cloud.kubernetes.cluster.KubernetesClusterManagerImpl;
 import com.cloud.kubernetes.cluster.KubernetesClusterVO;
 import com.cloud.kubernetes.cluster.KubernetesClusterVmMapVO;
+import com.cloud.kubernetes.cluster.dao.KubernetesClusterAffinityGroupMapDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterDetailsDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterVmMapDao;
@@ -124,10 +129,12 @@ import com.cloud.utils.fsm.NoTransitionException;
 import com.cloud.utils.fsm.StateMachine2;
 import com.cloud.utils.ssh.SshHelper;
 import com.cloud.vm.VMInstanceDetailVO;
+import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.UserVmService;
 import com.cloud.vm.UserVmVO;
 import com.cloud.vm.VmDetailConstants;
 import com.cloud.vm.dao.UserVmDao;
+import com.cloud.vm.dao.VMInstanceDao;
 import com.cloud.vm.dao.VMInstanceDetailsDao;
 
 import static com.cloud.kubernetes.cluster.KubernetesServiceHelper.KubernetesClusterNodeType.CONTROL;
@@ -213,10 +220,15 @@ public class KubernetesClusterActionWorker {
     private NicDao nicDao;
     @Inject
     protected AffinityGroupDao affinityGroupDao;
+    @Inject
+    protected AffinityGroupVMMapDao affinityGroupVMMapDao;
+    @Inject
+    protected VMInstanceDao vmInstanceDao;
 
     protected KubernetesClusterDao kubernetesClusterDao;
     protected KubernetesClusterVmMapDao kubernetesClusterVmMapDao;
     protected KubernetesClusterDetailsDao kubernetesClusterDetailsDao;
+    protected KubernetesClusterAffinityGroupMapDao kubernetesClusterAffinityGroupMapDao;
     protected KubernetesSupportedVersionDao kubernetesSupportedVersionDao;
 
     protected KubernetesCluster kubernetesCluster;
@@ -251,6 +263,7 @@ public class KubernetesClusterActionWorker {
         this.kubernetesClusterDao = clusterManager.kubernetesClusterDao;
         this.kubernetesClusterDetailsDao = clusterManager.kubernetesClusterDetailsDao;
         this.kubernetesClusterVmMapDao = clusterManager.kubernetesClusterVmMapDao;
+        this.kubernetesClusterAffinityGroupMapDao = clusterManager.kubernetesClusterAffinityGroupMapDao;
         this.kubernetesSupportedVersionDao = clusterManager.kubernetesSupportedVersionDao;
         this.manager = clusterManager;
     }
@@ -1112,4 +1125,76 @@ public class KubernetesClusterActionWorker {
         }
         return null;
     }
+
+    protected List<Long> getAffinityGroupIdsForNodeType(KubernetesClusterNodeType nodeType) {
+        List<Long> affinityGroupIds = kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(
+            kubernetesCluster.getId(), nodeType.name());
+        if (CollectionUtils.isEmpty(affinityGroupIds)) {
+            return new ArrayList<>();
+        }
+        return new ArrayList<>(affinityGroupIds);
+    }
+
+    protected List<Long> getMergedAffinityGroupIds(KubernetesClusterNodeType nodeType, Long domainId, Long accountId) {
+        List<Long> affinityGroupIds = getAffinityGroupIdsForNodeType(nodeType);
+        Long explicitAffinityGroupId = getExplicitAffinityGroup(domainId, accountId);
+        if (explicitAffinityGroupId != null && !affinityGroupIds.contains(explicitAffinityGroupId)) {
+            affinityGroupIds.add(explicitAffinityGroupId);
+        }
+        return affinityGroupIds.isEmpty() ? null : affinityGroupIds;
+    }
+
+    private Set<Long> getRunningVmHostIds(Long affinityGroupId) {
+        return affinityGroupVMMapDao.listVmIdsByAffinityGroup(affinityGroupId).stream()
+                .map(vmInstanceDao::findById)
+                .filter(vm -> Objects.nonNull(vm) && Objects.nonNull(vm.getHostId()) && VirtualMachine.State.Running.equals(vm.getState()))
+                .map(VMInstanceVO::getHostId)
+                .collect(Collectors.toSet());
+    }
+
+    protected AffinityConstraints resolveAffinityConstraints(KubernetesClusterNodeType nodeType, Long domainId, Long accountId) {
+        Set<Long> antiAffinityOccupiedHosts = new HashSet<>();
+        Long requiredHostId = null;
+        boolean hasHostAntiAffinity = false;
+        boolean hasHostAffinity = false;
+
+        if (Objects.nonNull(nodeType)) {
+            List<Long> affinityGroupIds = getMergedAffinityGroupIds(nodeType, domainId, accountId);
+            if (CollectionUtils.isNotEmpty(affinityGroupIds)) {
+            for (Long affinityGroupId : affinityGroupIds) {
+                AffinityGroupVO affinityGroup = affinityGroupDao.findById(affinityGroupId);
+                if (Objects.isNull(affinityGroup)) {
+                    continue;
+                }
+                if (AffinityProcessorBase.AFFINITY_TYPE_HOST_ANTI.equals(affinityGroup.getType())) {
+                    hasHostAntiAffinity = true;
+                    antiAffinityOccupiedHosts.addAll(getRunningVmHostIds(affinityGroupId));
+                } else if (AffinityProcessorBase.AFFINITY_TYPE_HOST.equals(affinityGroup.getType())) {
+                    hasHostAffinity = true;
+                    Set<Long> hostIds = getRunningVmHostIds(affinityGroupId);
+                    if (CollectionUtils.isNotEmpty(hostIds)) {
+                        requiredHostId = hostIds.iterator().next();
+                    }
+                }
+            }
+            }
+        }
+
+        return new AffinityConstraints(hasHostAntiAffinity, hasHostAffinity, antiAffinityOccupiedHosts, requiredHostId);
+    }
+
+    protected static class AffinityConstraints {
+        final boolean hasHostAntiAffinity;
+        final boolean hasHostAffinity;
+        final Set<Long> antiAffinityOccupiedHosts;
+        final Long requiredHostId;
+
+        AffinityConstraints(boolean hasHostAntiAffinity, boolean hasHostAffinity,
+                            Set<Long> antiAffinityOccupiedHosts, Long requiredHostId) {
+            this.hasHostAntiAffinity = hasHostAntiAffinity;
+            this.hasHostAffinity = hasHostAffinity;
+            this.antiAffinityOccupiedHosts = antiAffinityOccupiedHosts;
+            this.requiredHostId = requiredHostId;
+        }
+    }
 }
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterDestroyWorker.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterDestroyWorker.java
index 62bd8b4576a..dc886117b22 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterDestroyWorker.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterDestroyWorker.java
@@ -348,6 +348,7 @@ public class KubernetesClusterDestroyWorker extends KubernetesClusterResourceMod
         stateTransitTo(kubernetesCluster.getId(), KubernetesCluster.Event.OperationSucceeded);
         annotationDao.removeByEntityType(AnnotationService.EntityType.KUBERNETES_CLUSTER.name(), kubernetesCluster.getUuid());
         kubernetesClusterDetailsDao.removeDetails(kubernetesCluster.getId());
+        kubernetesClusterAffinityGroupMapDao.removeByClusterId(kubernetesCluster.getId());
         boolean deleted = kubernetesClusterDao.remove(kubernetesCluster.getId());
         if (!deleted) {
             logMessage(Level.WARN, String.format("Failed to delete Kubernetes cluster: %s", kubernetesCluster), null);
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java
index cf69234d19e..1ed75f14dfb 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterResourceModifierActionWorker.java
@@ -26,7 +26,6 @@ import static com.cloud.utils.db.Transaction.execute;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -116,7 +115,6 @@ import com.cloud.vm.Nic;
 import com.cloud.vm.UserVmManager;
 import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VmDetailConstants;
-import com.cloud.vm.dao.VMInstanceDao;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.logging.log4j.Level;
@@ -152,8 +150,6 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
     @Inject
     protected LoadBalancerDao loadBalancerDao;
     @Inject
-    protected VMInstanceDao vmInstanceDao;
-    @Inject
     protected UserVmManager userVmManager;
     @Inject
     protected LaunchPermissionDao launchPermissionDao;
@@ -177,8 +173,33 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
         kubernetesClusterNodeNamePrefix = getKubernetesClusterNodeNamePrefix();
     }
 
+    protected List<HostVO> filterHostsByAffinityConstraints(List<HostVO> hosts, AffinityConstraints constraints, DataCenter zone)
+            throws InsufficientServerCapacityException {
+        if (constraints.hasHostAffinity && Objects.nonNull(constraints.requiredHostId)) {
+            hosts = hosts.stream().filter(host -> host.getId() == constraints.requiredHostId.longValue()).collect(Collectors.toList());
+            if (CollectionUtils.isEmpty(hosts)) {
+                String msg = String.format("Cannot find capacity for Kubernetes cluster: host affinity requires all VMs on host %d but it is not available in zone %s",
+                        constraints.requiredHostId, zone.getName());
+                throw new InsufficientServerCapacityException(msg, DataCenter.class, zone.getId());
+            }
+        }
+
+        if (constraints.hasHostAntiAffinity) {
+            hosts = hosts.stream().filter(host -> !constraints.antiAffinityOccupiedHosts.contains(host.getId())).collect(Collectors.toList());
+            if (CollectionUtils.isEmpty(hosts)) {
+                String msg = String.format("Cannot find capacity for Kubernetes cluster: host anti-affinity requires each VM on a separate host, " +
+                        "but all %d available hosts in zone %s are already occupied by existing cluster VMs",
+                        constraints.antiAffinityOccupiedHosts.size(), zone.getName());
+                throw new InsufficientServerCapacityException(msg, DataCenter.class, zone.getId());
+            }
+        }
+
+        return hosts;
+    }
+
     protected DeployDestination plan(final long nodesCount, final DataCenter zone, final ServiceOffering offering,
-                                     final Long domainId, final Long accountId, final Hypervisor.HypervisorType hypervisorType, CPU.CPUArch arch) throws InsufficientServerCapacityException {
+                                     final Long domainId, final Long accountId, final Hypervisor.HypervisorType hypervisorType,
+                                     CPU.CPUArch arch, KubernetesClusterNodeType nodeType) throws InsufficientServerCapacityException {
         final int cpu_requested = offering.getCpu() * offering.getSpeed();
         final long ram_requested = offering.getRamSize() * 1024L * 1024L;
         boolean useDedicatedHosts = false;
@@ -191,26 +212,30 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
             } else if (Objects.nonNull(domainId)) {
                 dedicatedHosts = dedicatedResourceDao.listByDomainId(domainId);
             }
-            for (DedicatedResourceVO dedicatedHost : dedicatedHosts) {
-                hosts.add(hostDao.findById(dedicatedHost.getHostId()));
+            for (DedicatedResourceVO dedicatedResource : dedicatedHosts) {
+                hosts.addAll(manager.getHostsForDedicatedResource(dedicatedResource, zone));
                 useDedicatedHosts = true;
             }
         }
         if (hosts.isEmpty()) {
             hosts = resourceManager.listAllHostsInOneZoneByType(Host.Type.Routing, zone.getId());
         }
-        if (hypervisorType != null) {
+        if (Objects.nonNull(hypervisorType)) {
             hosts = hosts.stream().filter(x -> x.getHypervisorType() == hypervisorType).collect(Collectors.toList());
         }
-        if (arch != null) {
+        if (Objects.nonNull(arch)) {
             hosts = hosts.stream().filter(x -> x.getArch().equals(arch)).collect(Collectors.toList());
         }
         if (CollectionUtils.isEmpty(hosts)) {
             String msg = String.format("Cannot find enough capacity for Kubernetes cluster(requested cpu=%d memory=%s) with offering: %s hypervisor: %s and arch: %s",
-                    cpu_requested * nodesCount, toHumanReadableSize(ram_requested * nodesCount), offering.getName(), clusterTemplate.getHypervisorType().toString(), arch.getType());
+                    cpu_requested * nodesCount, toHumanReadableSize(ram_requested * nodesCount), offering.getName(), clusterTemplate.getHypervisorType().toString(),
+                    Objects.nonNull(arch) ? arch.getType() : "null");
             logAndThrow(Level.WARN, msg, new InsufficientServerCapacityException(msg, DataCenter.class, zone.getId()));
         }
 
+        AffinityConstraints affinityConstraints = resolveAffinityConstraints(nodeType, domainId, accountId);
+        hosts = filterHostsByAffinityConstraints(hosts, affinityConstraints, zone);
+
         final Map<String, Pair<HostVO, Integer>> hosts_with_resevered_capacity = new ConcurrentHashMap<String, Pair<HostVO, Integer>>();
         for (HostVO h : hosts) {
             hosts_with_resevered_capacity.put(h.getUuid(), new Pair<HostVO, Integer>(h, 0));
@@ -230,6 +255,9 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
                     continue;
                 }
                 int reserved = hp.second();
+                if (affinityConstraints.hasHostAntiAffinity && reserved > 0) {
+                    continue;
+                }
                 reserved++;
                 ClusterVO cluster = clusterDao.findById(h.getClusterId());
                 ClusterDetailsVO cluster_detail_cpu = clusterDetailsDao.findDetail(cluster.getId(), "cpuOvercommitRatio");
@@ -264,10 +292,17 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
             }
             return new DeployDestination(zone, null, null, null);
         }
-        String msg = String.format("Cannot find enough capacity for Kubernetes cluster(requested cpu=%d memory=%s) with offering: %s hypervisor: %s and arch: %s",
-                cpu_requested * nodesCount, toHumanReadableSize(ram_requested * nodesCount), offering.getName(), clusterTemplate.getHypervisorType().toString(), arch.getType());
-
-        logger.warn(msg);
+        String msg;
+        if (affinityConstraints.hasHostAntiAffinity) {
+            msg = String.format("Cannot find enough capacity for Kubernetes cluster (requested cpu=%d memory=%s) with offering: %s. " +
+                    "Host anti-affinity requires %d separate hosts but not enough suitable hosts are available in zone %s",
+                    cpu_requested * nodesCount, toHumanReadableSize(ram_requested * nodesCount), offering.getName(),
+                    nodesCount, zone.getName());
+        } else {
+            msg = String.format("Cannot find enough capacity for Kubernetes cluster(requested cpu=%d memory=%s) with offering: %s hypervisor: %s and arch: %s",
+                    cpu_requested * nodesCount, toHumanReadableSize(ram_requested * nodesCount), offering.getName(), clusterTemplate.getHypervisorType().toString(),
+                    Objects.nonNull(arch) ? arch.getType() : "null");
+        }
         throw new InsufficientServerCapacityException(msg, DataCenter.class, zone.getId());
     }
 
@@ -296,7 +331,7 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
             if (logger.isDebugEnabled()) {
                 logger.debug("Checking deployment destination for {} nodes on Kubernetes cluster : {} in zone : {}", nodeType.name(), kubernetesCluster.getName(), zone.getName());
             }
-            DeployDestination planForNodeType = plan(nodes, zone, nodeOffering, domainId, accountId, hypervisorType, arch);
+            DeployDestination planForNodeType = plan(nodes, zone, nodeOffering, domainId, accountId, hypervisorType, arch, nodeType);
             destinationMap.put(nodeType.name(), planForNodeType);
         }
         return destinationMap;
@@ -426,21 +461,19 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
         if (StringUtils.isNotBlank(kubernetesCluster.getKeyPair())) {
             keypairs.add(kubernetesCluster.getKeyPair());
         }
-        Long affinityGroupId = getExplicitAffinityGroup(domainId, accountId);
+        List<Long> affinityGroupIds = getMergedAffinityGroupIds(WORKER, domainId, accountId);
         if (kubernetesCluster.getSecurityGroupId() != null && networkModel.checkSecurityGroupSupportForNetwork(owner, zone, networkIds, List.of(kubernetesCluster.getSecurityGroupId()))) {
             List<Long> securityGroupIds = new ArrayList<>();
             securityGroupIds.add(kubernetesCluster.getSecurityGroupId());
             nodeVm = userVmService.createAdvancedSecurityGroupVirtualMachine(zone, serviceOffering, workerNodeTemplate, networkIds, securityGroupIds, owner,
                     hostName, hostName, null, null, null, null, Hypervisor.HypervisorType.None, BaseCmd.HTTPMethod.POST,base64UserData, null, null, keypairs,
-                    null, addrs, null, null, Objects.nonNull(affinityGroupId) ?
-                            Collections.singletonList(affinityGroupId) : null, customParameterMap, null, null, null,
+                    null, addrs, null, null, affinityGroupIds, customParameterMap, null, null, null,
                     null, true, null, UserVmManager.CKS_NODE, null, null);
         } else {
             nodeVm = userVmService.createAdvancedVirtualMachine(zone, serviceOffering, workerNodeTemplate, networkIds, owner,
                     hostName, hostName, null, null, null, null,
                     Hypervisor.HypervisorType.None, BaseCmd.HTTPMethod.POST, base64UserData, null, null, keypairs,
-                    null, addrs, null, null, Objects.nonNull(affinityGroupId) ?
-                            Collections.singletonList(affinityGroupId) : null, customParameterMap, null, null, null, null, true, UserVmManager.CKS_NODE, null, null, null);
+                    null, addrs, null, null, affinityGroupIds, customParameterMap, null, null, null, null, true, UserVmManager.CKS_NODE, null, null, null);
         }
         if (logger.isInfoEnabled()) {
             logger.info("Created node VM : {}, {} in the Kubernetes cluster : {}", hostName, nodeVm, kubernetesCluster.getName());
@@ -660,7 +693,7 @@ public class KubernetesClusterResourceModifierActionWorker extends KubernetesClu
             ips.add(controlVmNic.getIPv4Address());
             vmIdIpMap.put(clusterVMIds.get(i), ips);
         }
-        lbService.assignToLoadBalancer(lb.getId(), null, vmIdIpMap, false);
+        lbService.assignToLoadBalancer(lb.getId(), null, vmIdIpMap, null, false);
     }
 
     protected Map<Long, Integer> createFirewallRules(IpAddress publicIp, List<Long> clusterVMIds, boolean apiRule) throws ManagementServerException {
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java
index 6d22a1a3a03..c623426b137 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterScaleWorker.java
@@ -24,10 +24,10 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
 import java.util.stream.Collectors;
 
-import javax.inject.Inject;
-
 import com.cloud.kubernetes.cluster.KubernetesServiceHelper.KubernetesClusterNodeType;
 import com.cloud.service.ServiceOfferingVO;
 import com.cloud.storage.VMTemplateVO;
@@ -63,7 +63,6 @@ import com.cloud.utils.ssh.SshHelper;
 import com.cloud.vm.UserVmVO;
 import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.VirtualMachine;
-import com.cloud.vm.dao.VMInstanceDao;
 import org.apache.logging.log4j.Level;
 
 import static com.cloud.kubernetes.cluster.KubernetesServiceHelper.KubernetesClusterNodeType.CONTROL;
@@ -73,9 +72,6 @@ import static com.cloud.kubernetes.cluster.KubernetesServiceHelper.KubernetesClu
 
 public class KubernetesClusterScaleWorker extends KubernetesClusterResourceModifierActionWorker {
 
-    @Inject
-    protected VMInstanceDao vmInstanceDao;
-
     private Map<String, ServiceOffering> serviceOfferingNodeTypeMap;
     private Long clusterSize;
     private List<Long> nodeIds;
@@ -325,7 +321,7 @@ public class KubernetesClusterScaleWorker extends KubernetesClusterResourceModif
         }
     }
 
-    private void validateKubernetesClusterScaleSizeParameters() throws CloudRuntimeException {
+    private void validateKubernetesClusterScaleSizeParameters(KubernetesClusterNodeType nodeType) throws CloudRuntimeException {
         final long originalClusterSize = kubernetesCluster.getNodeCount();
         if (network == null) {
             logTransitStateToFailedIfNeededAndThrow(Level.WARN, String.format("Scaling failed for Kubernetes cluster : %s, cluster network not found", kubernetesCluster.getName()));
@@ -341,12 +337,12 @@ public class KubernetesClusterScaleWorker extends KubernetesClusterResourceModif
             VMTemplateVO clusterTemplate = templateDao.findById(kubernetesCluster.getTemplateId());
             try {
                 if (originalState.equals(KubernetesCluster.State.Running)) {
-                    plan(newVmRequiredCount, zone, clusterServiceOffering, kubernetesCluster.getDomainId(), kubernetesCluster.getAccountId(), clusterTemplate.getHypervisorType(), clusterTemplate.getArch());
+                    plan(newVmRequiredCount, zone, clusterServiceOffering, kubernetesCluster.getDomainId(), kubernetesCluster.getAccountId(), clusterTemplate.getHypervisorType(), clusterTemplate.getArch(), nodeType);
                 } else {
-                    plan(kubernetesCluster.getTotalNodeCount() + newVmRequiredCount, zone, clusterServiceOffering, kubernetesCluster.getDomainId(), kubernetesCluster.getAccountId(), clusterTemplate.getHypervisorType(), clusterTemplate.getArch());
+                    plan(kubernetesCluster.getTotalNodeCount() + newVmRequiredCount, zone, clusterServiceOffering, kubernetesCluster.getDomainId(), kubernetesCluster.getAccountId(), clusterTemplate.getHypervisorType(), clusterTemplate.getArch(), nodeType);
                 }
             } catch (InsufficientCapacityException e) {
-                logTransitStateToFailedIfNeededAndThrow(Level.WARN, String.format("Scaling failed for Kubernetes cluster : %s in zone : %s, insufficient capacity", kubernetesCluster.getName(), zone.getName()));
+                logTransitStateToFailedIfNeededAndThrow(Level.WARN, String.format("Scaling failed for Kubernetes cluster : %s in zone : %s, insufficient capacity: %s", kubernetesCluster.getName(), zone.getName(), e.getMessage()));
             }
         }
         List<KubernetesClusterVmMapVO> vmList = kubernetesClusterVmMapDao.listByClusterId(kubernetesCluster.getId());
@@ -465,10 +461,38 @@ public class KubernetesClusterScaleWorker extends KubernetesClusterResourceModif
         return new ArrayList<>(workerVMsMap.subList(startIndex, totalWorkerNodes));
     }
 
+    private void cleanupNewlyCreatedVms(Set<Long> originalVmIds) {
+        List<KubernetesClusterVmMapVO> currentVmMaps = kubernetesClusterVmMapDao.listByClusterId(kubernetesCluster.getId());
+        for (KubernetesClusterVmMapVO clusterVmMap : currentVmMaps) {
+            if (originalVmIds.contains(clusterVmMap.getVmId())) {
+                continue;
+            }
+            UserVmVO userVM = userVmDao.findById(clusterVmMap.getVmId());
+            if (Objects.isNull(userVM)) {
+                kubernetesClusterVmMapDao.expunge(clusterVmMap.getId());
+                continue;
+            }
+            logger.warn("Cleaning up VM {} created during failed scale-up of Kubernetes cluster {}", userVM, kubernetesCluster);
+            CallContext vmContext = CallContext.register(CallContext.current(), ApiCommandResourceType.VirtualMachine);
+            vmContext.setEventResourceId(userVM.getId());
+            try {
+                userVmService.destroyVm(userVM.getId(), true);
+                userVmManager.expunge(userVM);
+            } catch (Exception e) {
+                logger.warn("Failed to cleanup VM {} during scale-up rollback for Kubernetes cluster {}", userVM, kubernetesCluster, e);
+            } finally {
+                CallContext.unregister();
+            }
+            kubernetesClusterVmMapDao.expunge(clusterVmMap.getId());
+        }
+    }
+
     private void scaleUpKubernetesClusterSize(final long newVmCount) throws CloudRuntimeException {
         if (!kubernetesCluster.getState().equals(KubernetesCluster.State.Scaling)) {
             stateTransitTo(kubernetesCluster.getId(), KubernetesCluster.Event.ScaleUpRequested);
         }
+        Set<Long> originalVmIds = kubernetesClusterVmMapDao.listByClusterId(kubernetesCluster.getId())
+                .stream().map(KubernetesClusterVmMapVO::getVmId).collect(Collectors.toSet());
         List<UserVm> clusterVMs = new ArrayList<>();
         if (isDefaultTemplateUsed()) {
             LaunchPermissionVO launchPermission = new LaunchPermissionVO(clusterTemplate.getId(), owner.getId());
@@ -478,6 +502,7 @@ public class KubernetesClusterScaleWorker extends KubernetesClusterResourceModif
             clusterVMs = provisionKubernetesClusterNodeVms((int)(newVmCount + kubernetesCluster.getNodeCount()), (int)kubernetesCluster.getNodeCount(), publicIpAddress, kubernetesCluster.getDomainId(), kubernetesCluster.getAccountId());
             updateLoginUserDetails(clusterVMs.stream().map(InternalIdentity::getId).collect(Collectors.toList()));
         } catch (CloudRuntimeException | ManagementServerException | ResourceUnavailableException | InsufficientCapacityException e) {
+            cleanupNewlyCreatedVms(originalVmIds);
             logTransitStateToFailedIfNeededAndThrow(Level.ERROR, String.format("Scaling failed for Kubernetes cluster : %s, unable to provision node VM in the cluster", kubernetesCluster.getName()), e);
         }
         try {
@@ -486,6 +511,7 @@ public class KubernetesClusterScaleWorker extends KubernetesClusterResourceModif
             clusterVMIds.addAll(externalNodeIds);
             scaleKubernetesClusterNetworkRules(clusterVMIds);
         } catch (ManagementServerException e) {
+            cleanupNewlyCreatedVms(originalVmIds);
             logTransitStateToFailedIfNeededAndThrow(Level.ERROR, String.format("Scaling failed for Kubernetes cluster : %s, unable to update network rules", kubernetesCluster.getName()), e);
         }
         attachIsoKubernetesVMs(clusterVMs);
@@ -496,12 +522,13 @@ public class KubernetesClusterScaleWorker extends KubernetesClusterResourceModif
         detachIsoKubernetesVMs(clusterVMs);
         deleteTemplateLaunchPermission();
         if (!readyNodesCountValid) { // Scaling failed
+            cleanupNewlyCreatedVms(originalVmIds);
             logTransitStateToFailedIfNeededAndThrow(Level.ERROR, String.format("Scaling unsuccessful for Kubernetes cluster : %s as it does not have desired number of nodes in ready state", kubernetesCluster.getName()));
         }
     }
 
     private void scaleKubernetesClusterSize(KubernetesClusterNodeType nodeType) throws CloudRuntimeException {
-        validateKubernetesClusterScaleSizeParameters();
+        validateKubernetesClusterScaleSizeParameters(nodeType);
         final long originalClusterSize = kubernetesCluster.getNodeCount();
         final long newVmRequiredCount = clusterSize - originalClusterSize;
         if (KubernetesCluster.State.Created.equals(originalState)) {
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterStartWorker.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterStartWorker.java
index aa9317e619b..4ed5ff0167c 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterStartWorker.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterStartWorker.java
@@ -270,7 +270,7 @@ public class KubernetesClusterStartWorker extends KubernetesClusterResourceModif
             keypairs.add(kubernetesCluster.getKeyPair());
         }
 
-        Long affinityGroupId = getExplicitAffinityGroup(domainId, accountId);
+        List<Long> affinityGroupIds = getMergedAffinityGroupIds(CONTROL, domainId, accountId);
         String userDataDetails = kubernetesCluster.getCniConfigDetails();
         if (kubernetesCluster.getSecurityGroupId() != null &&
                 networkModel.checkSecurityGroupSupportForNetwork(owner, zone, networkIds,
@@ -279,15 +279,13 @@ public class KubernetesClusterStartWorker extends KubernetesClusterResourceModif
             securityGroupIds.add(kubernetesCluster.getSecurityGroupId());
             controlVm = userVmService.createAdvancedSecurityGroupVirtualMachine(zone, serviceOffering, controlNodeTemplate, networkIds, securityGroupIds, owner,
             hostName, hostName, null, null, null, null, Hypervisor.HypervisorType.None, BaseCmd.HTTPMethod.POST,base64UserData, userDataId, userDataDetails, keypairs,
-                    requestedIps, addrs, null, null, Objects.nonNull(affinityGroupId) ?
-                            Collections.singletonList(affinityGroupId) : null, customParameterMap, null, null, null,
+                    requestedIps, addrs, null, null, affinityGroupIds, customParameterMap, null, null, null,
                     null, true, null, UserVmManager.CKS_NODE, null, null);
         } else {
             controlVm = userVmService.createAdvancedVirtualMachine(zone, serviceOffering, controlNodeTemplate, networkIds, owner,
                     hostName, hostName, null, null, null, null,
                     Hypervisor.HypervisorType.None, BaseCmd.HTTPMethod.POST, base64UserData, userDataId, userDataDetails, keypairs,
-                    requestedIps, addrs, null, null, Objects.nonNull(affinityGroupId) ?
-                            Collections.singletonList(affinityGroupId) : null, customParameterMap, null, null, null, null, true, UserVmManager.CKS_NODE, null, null, null);
+                    requestedIps, addrs, null, null, affinityGroupIds, customParameterMap, null, null, null, null, true, UserVmManager.CKS_NODE, null, null, null);
         }
         if (logger.isInfoEnabled()) {
             logger.info("Created control VM: {}, {} in the Kubernetes cluster: {}", controlVm, hostName, kubernetesCluster);
@@ -439,7 +437,7 @@ public class KubernetesClusterStartWorker extends KubernetesClusterResourceModif
             keypairs.add(kubernetesCluster.getKeyPair());
         }
 
-        Long affinityGroupId = getExplicitAffinityGroup(domainId, accountId);
+        List<Long> affinityGroupIds = getMergedAffinityGroupIds(CONTROL, domainId, accountId);
         if (kubernetesCluster.getSecurityGroupId() != null &&
                 networkModel.checkSecurityGroupSupportForNetwork(owner, zone, networkIds,
                         List.of(kubernetesCluster.getSecurityGroupId()))) {
@@ -447,15 +445,13 @@ public class KubernetesClusterStartWorker extends KubernetesClusterResourceModif
             securityGroupIds.add(kubernetesCluster.getSecurityGroupId());
             additionalControlVm = userVmService.createAdvancedSecurityGroupVirtualMachine(zone, serviceOffering, controlNodeTemplate, networkIds, securityGroupIds, owner,
                     hostName, hostName, null, null, null, null, Hypervisor.HypervisorType.None, BaseCmd.HTTPMethod.POST,base64UserData, null, null, keypairs,
-                    null, addrs, null, null, Objects.nonNull(affinityGroupId) ?
-                            Collections.singletonList(affinityGroupId) : null, customParameterMap, null, null, null,
+                    null, addrs, null, null, affinityGroupIds, customParameterMap, null, null, null,
                     null, true, null, UserVmManager.CKS_NODE, null, null);
         } else {
             additionalControlVm = userVmService.createAdvancedVirtualMachine(zone, serviceOffering, controlNodeTemplate, networkIds, owner,
                     hostName, hostName, null, null, null, null,
                     Hypervisor.HypervisorType.None, BaseCmd.HTTPMethod.POST, base64UserData, null, null, keypairs,
-                    null, addrs, null, null, Objects.nonNull(affinityGroupId) ?
-                            Collections.singletonList(affinityGroupId) : null, customParameterMap, null, null, null, null, true, UserVmManager.CKS_NODE, null, null, null);
+                    null, addrs, null, null, affinityGroupIds, customParameterMap, null, null, null, null, true, UserVmManager.CKS_NODE, null, null, null);
         }
 
         if (logger.isInfoEnabled()) {
@@ -483,7 +479,7 @@ public class KubernetesClusterStartWorker extends KubernetesClusterResourceModif
         if (StringUtils.isNotBlank(kubernetesCluster.getKeyPair())) {
             keypairs.add(kubernetesCluster.getKeyPair());
         }
-        Long affinityGroupId = getExplicitAffinityGroup(domainId, accountId);
+        List<Long> affinityGroupIds = getMergedAffinityGroupIds(ETCD, domainId, accountId);
         String hostName = etcdNodeHostnames.get(etcdNodeIndex);
         Map<String, String> customParameterMap = new HashMap<String, String>();
         if (zone.isSecurityGroupEnabled()) {
@@ -491,15 +487,13 @@ public class KubernetesClusterStartWorker extends KubernetesClusterResourceModif
             securityGroupIds.add(kubernetesCluster.getSecurityGroupId());
             etcdNode = userVmService.createAdvancedSecurityGroupVirtualMachine(zone, serviceOffering, etcdTemplate, networkIds, securityGroupIds, owner,
                     hostName, hostName, null, null, null, null, Hypervisor.HypervisorType.None, BaseCmd.HTTPMethod.POST,base64UserData, null, null, keypairs,
-                    Map.of(kubernetesCluster.getNetworkId(), requestedIps.get(etcdNodeIndex)), addrs, null, null, Objects.nonNull(affinityGroupId) ?
-                            Collections.singletonList(affinityGroupId) : null, customParameterMap, null, null, null,
+                    Map.of(kubernetesCluster.getNetworkId(), requestedIps.get(etcdNodeIndex)), addrs, null, null, affinityGroupIds, customParameterMap, null, null, null,
                     null, true, null, null, null, null);
         } else {
             etcdNode = userVmService.createAdvancedVirtualMachine(zone, serviceOffering, etcdTemplate, networkIds, owner,
                     hostName, hostName, null, null, null, null,
                     Hypervisor.HypervisorType.None, BaseCmd.HTTPMethod.POST, base64UserData, null, null, keypairs,
-                    Map.of(kubernetesCluster.getNetworkId(), requestedIps.get(etcdNodeIndex)), addrs, null, null, Objects.nonNull(affinityGroupId) ?
-                            Collections.singletonList(affinityGroupId) : null, customParameterMap, null, null, null, null, true, UserVmManager.CKS_NODE, null, null, null);
+                    Map.of(kubernetesCluster.getNetworkId(), requestedIps.get(etcdNodeIndex)), addrs, null, null, affinityGroupIds, customParameterMap, null, null, null, null, true, UserVmManager.CKS_NODE, null, null, null);
         }
 
         if (logger.isInfoEnabled()) {
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/dao/KubernetesClusterAffinityGroupMapDao.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/dao/KubernetesClusterAffinityGroupMapDao.java
new file mode 100644
index 00000000000..8c152153a2c
--- /dev/null
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/dao/KubernetesClusterAffinityGroupMapDao.java
@@ -0,0 +1,31 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.kubernetes.cluster.dao;
+
+import java.util.List;
+
+import com.cloud.kubernetes.cluster.KubernetesClusterAffinityGroupMapVO;
+import com.cloud.utils.db.GenericDao;
+
+public interface KubernetesClusterAffinityGroupMapDao extends GenericDao<KubernetesClusterAffinityGroupMapVO, Long> {
+
+    List<KubernetesClusterAffinityGroupMapVO> listByClusterIdAndNodeType(long clusterId, String nodeType);
+
+    List<Long> listAffinityGroupIdsByClusterIdAndNodeType(long clusterId, String nodeType);
+
+    int removeByClusterId(long clusterId);
+}
diff --git a/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/dao/KubernetesClusterAffinityGroupMapDaoImpl.java b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/dao/KubernetesClusterAffinityGroupMapDaoImpl.java
new file mode 100644
index 00000000000..fcd4d6f7c97
--- /dev/null
+++ b/plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/dao/KubernetesClusterAffinityGroupMapDaoImpl.java
@@ -0,0 +1,72 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.kubernetes.cluster.dao;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.springframework.stereotype.Component;
+
+import com.cloud.kubernetes.cluster.KubernetesClusterAffinityGroupMapVO;
+import com.cloud.utils.db.GenericDaoBase;
+import com.cloud.utils.db.SearchBuilder;
+import com.cloud.utils.db.SearchCriteria;
+
+@Component
+public class KubernetesClusterAffinityGroupMapDaoImpl extends GenericDaoBase<KubernetesClusterAffinityGroupMapVO, Long>
+        implements KubernetesClusterAffinityGroupMapDao {
+
+    private final SearchBuilder<KubernetesClusterAffinityGroupMapVO> clusterIdAndNodeTypeSearch;
+    private final SearchBuilder<KubernetesClusterAffinityGroupMapVO> clusterIdSearch;
+
+    public KubernetesClusterAffinityGroupMapDaoImpl() {
+        clusterIdAndNodeTypeSearch = createSearchBuilder();
+        clusterIdAndNodeTypeSearch.and("clusterId", clusterIdAndNodeTypeSearch.entity().getClusterId(), SearchCriteria.Op.EQ);
+        clusterIdAndNodeTypeSearch.and("nodeType", clusterIdAndNodeTypeSearch.entity().getNodeType(), SearchCriteria.Op.EQ);
+        clusterIdAndNodeTypeSearch.done();
+
+        clusterIdSearch = createSearchBuilder();
+        clusterIdSearch.and("clusterId", clusterIdSearch.entity().getClusterId(), SearchCriteria.Op.EQ);
+        clusterIdSearch.done();
+    }
+
+    @Override
+    public List<KubernetesClusterAffinityGroupMapVO> listByClusterIdAndNodeType(long clusterId, String nodeType) {
+        SearchCriteria<KubernetesClusterAffinityGroupMapVO> sc = clusterIdAndNodeTypeSearch.create();
+        sc.setParameters("clusterId", clusterId);
+        sc.setParameters("nodeType", nodeType);
+        return listBy(sc);
+    }
+
+    @Override
+    public List<Long> listAffinityGroupIdsByClusterIdAndNodeType(long clusterId, String nodeType) {
+        List<KubernetesClusterAffinityGroupMapVO> maps = listByClusterIdAndNodeType(clusterId, nodeType);
+        if (CollectionUtils.isEmpty(maps)) {
+            return new ArrayList<>();
+        }
+        return maps.stream().map(KubernetesClusterAffinityGroupMapVO::getAffinityGroupId).collect(Collectors.toList());
+    }
+
+    @Override
+    public int removeByClusterId(long clusterId) {
+        SearchCriteria<KubernetesClusterAffinityGroupMapVO> sc = clusterIdSearch.create();
+        sc.setParameters("clusterId", clusterId);
+        return remove(sc);
+    }
+}
diff --git a/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/CreateKubernetesClusterCmd.java b/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/CreateKubernetesClusterCmd.java
index d30922269da..8d64fee2620 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/CreateKubernetesClusterCmd.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/CreateKubernetesClusterCmd.java
@@ -17,6 +17,7 @@
 package org.apache.cloudstack.api.command.user.kubernetes.cluster;
 
 import java.security.InvalidParameterException;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 
@@ -79,7 +80,7 @@ public class CreateKubernetesClusterCmd extends BaseAsyncCreateCmd {
     @Inject
     public KubernetesClusterService kubernetesClusterService;
     @Inject
-    protected KubernetesServiceHelper kubernetesClusterHelper;
+    protected KubernetesServiceHelper kubernetesServiceHelper;
     @Inject
     private ConfigurationDao configurationDao;
     @Inject
@@ -125,6 +126,12 @@ public class CreateKubernetesClusterCmd extends BaseAsyncCreateCmd {
             since = "4.21.0")
     private Map<String, Map<String, String>> templateNodeTypeMap;
 
+    @ACL(accessType = AccessType.UseEntry)
+    @Parameter(name = ApiConstants.NODE_TYPE_AFFINITY_GROUP_MAP, type = CommandType.MAP,
+            description = "(Optional) Node Type to Affinity Group ID mapping. If provided, VMs of each node type will be added to the specified affinity group",
+            since = "4.23.0")
+    private Map<String, Map<String, String>> affinityGroupNodeTypeMap;
+
     @ACL(accessType = AccessType.UseEntry)
     @Parameter(name = ApiConstants.ETCD_NODES, type = CommandType.LONG,
             description = "(Optional) Number of Kubernetes cluster etcd nodes, default is 0." +
@@ -314,11 +321,15 @@ public class CreateKubernetesClusterCmd extends BaseAsyncCreateCmd {
     }
 
     public Map<String, Long> getServiceOfferingNodeTypeMap() {
-        return kubernetesClusterHelper.getServiceOfferingNodeTypeMap(serviceOfferingNodeTypeMap);
+        return kubernetesServiceHelper.getServiceOfferingNodeTypeMap(serviceOfferingNodeTypeMap);
     }
 
     public Map<String, Long> getTemplateNodeTypeMap() {
-        return kubernetesClusterHelper.getTemplateNodeTypeMap(templateNodeTypeMap);
+        return kubernetesServiceHelper.getTemplateNodeTypeMap(templateNodeTypeMap);
+    }
+
+    public Map<String, List<Long>> getAffinityGroupNodeTypeMap() {
+        return kubernetesServiceHelper.getAffinityGroupNodeTypeMap(affinityGroupNodeTypeMap);
     }
 
     public Hypervisor.HypervisorType getHypervisorType() {
diff --git a/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/ScaleKubernetesClusterCmd.java b/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/ScaleKubernetesClusterCmd.java
index c7ee0b7da92..1cff2649428 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/ScaleKubernetesClusterCmd.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/ScaleKubernetesClusterCmd.java
@@ -57,7 +57,7 @@ public class ScaleKubernetesClusterCmd extends BaseAsyncCmd {
     @Inject
     public KubernetesClusterService kubernetesClusterService;
     @Inject
-    protected KubernetesServiceHelper kubernetesClusterHelper;
+    protected KubernetesServiceHelper kubernetesServiceHelper;
 
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
@@ -114,7 +114,7 @@ public class ScaleKubernetesClusterCmd extends BaseAsyncCmd {
     }
 
     public Map<String, Long> getServiceOfferingNodeTypeMap() {
-        return kubernetesClusterHelper.getServiceOfferingNodeTypeMap(this.serviceOfferingNodeTypeMap);
+        return kubernetesServiceHelper.getServiceOfferingNodeTypeMap(this.serviceOfferingNodeTypeMap);
     }
 
     public Long getClusterSize() {
diff --git a/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/UpdateKubernetesClusterAffinityGroupCmd.java b/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/UpdateKubernetesClusterAffinityGroupCmd.java
new file mode 100644
index 00000000000..16a19e410ac
--- /dev/null
+++ b/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/command/user/kubernetes/cluster/UpdateKubernetesClusterAffinityGroupCmd.java
@@ -0,0 +1,113 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.kubernetes.cluster;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.inject.Inject;
+
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.SecurityChecker;
+import org.apache.cloudstack.api.ACL;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ResponseObject;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.KubernetesClusterResponse;
+import org.apache.cloudstack.context.CallContext;
+
+import com.cloud.kubernetes.cluster.KubernetesCluster;
+import com.cloud.kubernetes.cluster.KubernetesClusterService;
+import com.cloud.kubernetes.cluster.KubernetesServiceHelper;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+@APICommand(name = "updateKubernetesClusterAffinityGroups",
+        description = "Updates the affinity group mappings for a stopped Kubernetes cluster",
+        responseObject = KubernetesClusterResponse.class,
+        responseView = ResponseObject.ResponseView.Restricted,
+        entityType = {KubernetesCluster.class},
+        requestHasSensitiveInfo = false,
+        responseHasSensitiveInfo = true,
+        since = "4.23.0",
+        authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
+public class UpdateKubernetesClusterAffinityGroupCmd extends BaseCmd {
+
+    @Inject
+    public KubernetesClusterService kubernetesClusterService;
+    @Inject
+    protected KubernetesServiceHelper kubernetesServiceHelper;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, required = true,
+        entityType = KubernetesClusterResponse.class,
+        description = "The ID of the Kubernetes cluster")
+    private Long id;
+
+    @ACL(accessType = SecurityChecker.AccessType.UseEntry)
+    @Parameter(name = ApiConstants.NODE_TYPE_AFFINITY_GROUP_MAP, type = CommandType.MAP,
+            description = "Node Type to Affinity Group ID mapping. VMs of each node type will be added to the specified affinity group",
+            since = "4.23.0")
+    private Map<String, Map<String, String>> affinityGroupNodeTypeMap;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getId() {
+        return id;
+    }
+
+    public Map<String, List<Long>> getAffinityGroupNodeTypeMap() {
+        return kubernetesServiceHelper.getAffinityGroupNodeTypeMap(affinityGroupNodeTypeMap);
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.KubernetesCluster;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() throws ServerApiException {
+        try {
+            if (!kubernetesClusterService.updateKubernetesClusterAffinityGroups(this)) {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR,
+                        String.format("Failed to update affinity groups for Kubernetes cluster ID: %d", getId()));
+            }
+            final KubernetesClusterResponse response = kubernetesClusterService.createKubernetesClusterResponse(getId());
+            response.setResponseName(getCommandName());
+            setResponseObject(response);
+        } catch (CloudRuntimeException exception) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, exception.getMessage());
+        }
+    }
+}
diff --git a/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/response/KubernetesClusterResponse.java b/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/response/KubernetesClusterResponse.java
index 0a7e7a97939..932d722de35 100644
--- a/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/response/KubernetesClusterResponse.java
+++ b/plugins/integrations/kubernetes-service/src/main/java/org/apache/cloudstack/api/response/KubernetesClusterResponse.java
@@ -220,6 +220,30 @@ public class KubernetesClusterResponse extends BaseResponseWithAnnotations imple
     @Param(description = "The date when this Kubernetes cluster was created")
     private Date created;
 
+    @SerializedName(ApiConstants.CONTROL_AFFINITY_GROUP_IDS)
+    @Param(description = "The IDs of affinity groups associated with control nodes", since = "4.23.0")
+    private String controlAffinityGroupIds;
+
+    @SerializedName(ApiConstants.CONTROL_AFFINITY_GROUP_NAMES)
+    @Param(description = "The names of affinity groups associated with control nodes", since = "4.23.0")
+    private String controlAffinityGroupNames;
+
+    @SerializedName(ApiConstants.WORKER_AFFINITY_GROUP_IDS)
+    @Param(description = "The IDs of affinity groups associated with worker nodes", since = "4.23.0")
+    private String workerAffinityGroupIds;
+
+    @SerializedName(ApiConstants.WORKER_AFFINITY_GROUP_NAMES)
+    @Param(description = "The names of affinity groups associated with worker nodes", since = "4.23.0")
+    private String workerAffinityGroupNames;
+
+    @SerializedName(ApiConstants.ETCD_AFFINITY_GROUP_IDS)
+    @Param(description = "The IDs of affinity groups associated with etcd nodes", since = "4.23.0")
+    private String etcdAffinityGroupIds;
+
+    @SerializedName(ApiConstants.ETCD_AFFINITY_GROUP_NAMES)
+    @Param(description = "The names of affinity groups associated with etcd nodes", since = "4.23.0")
+    private String etcdAffinityGroupNames;
+
     public KubernetesClusterResponse() {
     }
 
@@ -535,4 +559,28 @@ public class KubernetesClusterResponse extends BaseResponseWithAnnotations imple
     public void setCsiEnabled(Boolean csiEnabled) {
         isCsiEnabled = csiEnabled;
     }
+
+    public void setControlAffinityGroupIds(String controlAffinityGroupIds) {
+        this.controlAffinityGroupIds = controlAffinityGroupIds;
+    }
+
+    public void setControlAffinityGroupNames(String controlAffinityGroupNames) {
+        this.controlAffinityGroupNames = controlAffinityGroupNames;
+    }
+
+    public void setWorkerAffinityGroupIds(String workerAffinityGroupIds) {
+        this.workerAffinityGroupIds = workerAffinityGroupIds;
+    }
+
+    public void setWorkerAffinityGroupNames(String workerAffinityGroupNames) {
+        this.workerAffinityGroupNames = workerAffinityGroupNames;
+    }
+
+    public void setEtcdAffinityGroupIds(String etcdAffinityGroupIds) {
+        this.etcdAffinityGroupIds = etcdAffinityGroupIds;
+    }
+
+    public void setEtcdAffinityGroupNames(String etcdAffinityGroupNames) {
+        this.etcdAffinityGroupNames = etcdAffinityGroupNames;
+    }
 }
diff --git a/plugins/integrations/kubernetes-service/src/main/resources/META-INF/cloudstack/kubernetes-service/spring-kubernetes-service-context.xml b/plugins/integrations/kubernetes-service/src/main/resources/META-INF/cloudstack/kubernetes-service/spring-kubernetes-service-context.xml
index 9d236eed26c..05336678629 100644
--- a/plugins/integrations/kubernetes-service/src/main/resources/META-INF/cloudstack/kubernetes-service/spring-kubernetes-service-context.xml
+++ b/plugins/integrations/kubernetes-service/src/main/resources/META-INF/cloudstack/kubernetes-service/spring-kubernetes-service-context.xml
@@ -32,6 +32,7 @@
     <bean id="kubernetesClusterDaoImpl" class="com.cloud.kubernetes.cluster.dao.KubernetesClusterDaoImpl" />
     <bean id="kubernetesClusterDetailsDaoImpl" class="com.cloud.kubernetes.cluster.dao.KubernetesClusterDetailsDaoImpl" />
     <bean id="kubernetesClusterVmMapDaoImpl" class="com.cloud.kubernetes.cluster.dao.KubernetesClusterVmMapDaoImpl" />
+    <bean id="kubernetesClusterAffinityGroupMapDaoImpl" class="com.cloud.kubernetes.cluster.dao.KubernetesClusterAffinityGroupMapDaoImpl" />
     <bean id="kubernetesClusterManagerImpl" class="com.cloud.kubernetes.cluster.KubernetesClusterManagerImpl" />
 
     <bean id="kubernetesServiceHelper" class="com.cloud.kubernetes.cluster.KubernetesServiceHelperImpl" >
diff --git a/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterAffinityGroupMapVOTest.java b/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterAffinityGroupMapVOTest.java
new file mode 100644
index 00000000000..d0aafc7d1e5
--- /dev/null
+++ b/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterAffinityGroupMapVOTest.java
@@ -0,0 +1,87 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.kubernetes.cluster;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class KubernetesClusterAffinityGroupMapVOTest {
+
+    @Test
+    public void testConstructorAndGetters() {
+        KubernetesClusterAffinityGroupMapVO vo =
+            new KubernetesClusterAffinityGroupMapVO(1L, "CONTROL", 100L);
+
+        Assert.assertEquals(1L, vo.getClusterId());
+        Assert.assertEquals("CONTROL", vo.getNodeType());
+        Assert.assertEquals(100L, vo.getAffinityGroupId());
+    }
+
+    @Test
+    public void testDefaultConstructor() {
+        KubernetesClusterAffinityGroupMapVO vo = new KubernetesClusterAffinityGroupMapVO();
+        Assert.assertNotNull(vo);
+    }
+
+    @Test
+    public void testSetClusterId() {
+        KubernetesClusterAffinityGroupMapVO vo = new KubernetesClusterAffinityGroupMapVO();
+        vo.setClusterId(2L);
+        Assert.assertEquals(2L, vo.getClusterId());
+    }
+
+    @Test
+    public void testSetNodeType() {
+        KubernetesClusterAffinityGroupMapVO vo = new KubernetesClusterAffinityGroupMapVO();
+        vo.setNodeType("WORKER");
+        Assert.assertEquals("WORKER", vo.getNodeType());
+    }
+
+    @Test
+    public void testSetAffinityGroupId() {
+        KubernetesClusterAffinityGroupMapVO vo = new KubernetesClusterAffinityGroupMapVO();
+        vo.setAffinityGroupId(200L);
+        Assert.assertEquals(200L, vo.getAffinityGroupId());
+    }
+
+    @Test
+    public void testAllNodeTypes() {
+        KubernetesClusterAffinityGroupMapVO controlVo =
+            new KubernetesClusterAffinityGroupMapVO(1L, "CONTROL", 10L);
+        KubernetesClusterAffinityGroupMapVO workerVo =
+            new KubernetesClusterAffinityGroupMapVO(1L, "WORKER", 20L);
+        KubernetesClusterAffinityGroupMapVO etcdVo =
+            new KubernetesClusterAffinityGroupMapVO(1L, "ETCD", 30L);
+
+        Assert.assertEquals("CONTROL", controlVo.getNodeType());
+        Assert.assertEquals("WORKER", workerVo.getNodeType());
+        Assert.assertEquals("ETCD", etcdVo.getNodeType());
+    }
+
+    @Test
+    public void testSettersChain() {
+        KubernetesClusterAffinityGroupMapVO vo = new KubernetesClusterAffinityGroupMapVO();
+
+        vo.setClusterId(5L);
+        vo.setNodeType("ETCD");
+        vo.setAffinityGroupId(500L);
+
+        Assert.assertEquals(5L, vo.getClusterId());
+        Assert.assertEquals("ETCD", vo.getNodeType());
+        Assert.assertEquals(500L, vo.getAffinityGroupId());
+    }
+}
diff --git a/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterHelperImplTest.java b/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterHelperImplTest.java
deleted file mode 100644
index 298f1dfbcd6..00000000000
--- a/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterHelperImplTest.java
+++ /dev/null
@@ -1,145 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-package com.cloud.kubernetes.cluster;
-
-import com.cloud.exception.InvalidParameterValueException;
-import com.cloud.service.ServiceOfferingVO;
-import com.cloud.service.dao.ServiceOfferingDao;
-import com.cloud.vm.VmDetailConstants;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mock;
-import org.mockito.Mockito;
-import org.mockito.junit.MockitoJUnitRunner;
-
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
-
-import static com.cloud.kubernetes.cluster.KubernetesServiceHelper.KubernetesClusterNodeType.CONTROL;
-import static com.cloud.kubernetes.cluster.KubernetesServiceHelper.KubernetesClusterNodeType.ETCD;
-import static com.cloud.kubernetes.cluster.KubernetesServiceHelper.KubernetesClusterNodeType.WORKER;
-
-@RunWith(MockitoJUnitRunner.class)
-public class KubernetesClusterHelperImplTest {
-
-    @Mock
-    private ServiceOfferingDao serviceOfferingDao;
-    @Mock
-    private ServiceOfferingVO workerServiceOffering;
-    @Mock
-    private ServiceOfferingVO controlServiceOffering;
-    @Mock
-    private ServiceOfferingVO etcdServiceOffering;
-
-    private static final String workerNodesOfferingId = UUID.randomUUID().toString();
-    private static final String controlNodesOfferingId = UUID.randomUUID().toString();
-    private static final String etcdNodesOfferingId = UUID.randomUUID().toString();
-    private static final Long workerOfferingId = 1L;
-    private static final Long controlOfferingId = 2L;
-    private static final Long etcdOfferingId = 3L;
-
-    private final KubernetesServiceHelperImpl helper = new KubernetesServiceHelperImpl();
-
-    @Before
-    public void setUp() {
-        helper.serviceOfferingDao = serviceOfferingDao;
-        Mockito.when(serviceOfferingDao.findByUuid(workerNodesOfferingId)).thenReturn(workerServiceOffering);
-        Mockito.when(serviceOfferingDao.findByUuid(controlNodesOfferingId)).thenReturn(controlServiceOffering);
-        Mockito.when(serviceOfferingDao.findByUuid(etcdNodesOfferingId)).thenReturn(etcdServiceOffering);
-        Mockito.when(workerServiceOffering.getId()).thenReturn(workerOfferingId);
-        Mockito.when(controlServiceOffering.getId()).thenReturn(controlOfferingId);
-        Mockito.when(etcdServiceOffering.getId()).thenReturn(etcdOfferingId);
-    }
-
-    @Test
-    public void testIsValidNodeTypeEmptyNodeType() {
-        Assert.assertFalse(helper.isValidNodeType(null));
-    }
-
-    @Test
-    public void testIsValidNodeTypeInvalidNodeType() {
-        String nodeType = "invalidNodeType";
-        Assert.assertFalse(helper.isValidNodeType(nodeType));
-    }
-
-    @Test
-    public void testIsValidNodeTypeValidNodeTypeLowercase() {
-        String nodeType = KubernetesServiceHelper.KubernetesClusterNodeType.WORKER.name().toLowerCase();
-        Assert.assertTrue(helper.isValidNodeType(nodeType));
-    }
-
-    private Map<String, String> createMapEntry(KubernetesServiceHelper.KubernetesClusterNodeType nodeType,
-                                               String nodeTypeOfferingUuid) {
-        Map<String, String> map = new HashMap<>();
-        map.put(VmDetailConstants.CKS_NODE_TYPE, nodeType.name().toLowerCase());
-        map.put(VmDetailConstants.OFFERING, nodeTypeOfferingUuid);
-        return map;
-    }
-
-    @Test
-    public void testNodeOfferingMap() {
-        Map<String, Map<String, String>> serviceOfferingNodeTypeMap = new HashMap<>();
-        Map<String, String> firstMap = createMapEntry(WORKER, workerNodesOfferingId);
-        Map<String, String> secondMap = createMapEntry(CONTROL, controlNodesOfferingId);
-        serviceOfferingNodeTypeMap.put("map1", firstMap);
-        serviceOfferingNodeTypeMap.put("map2", secondMap);
-        Map<String, Long> map = helper.getServiceOfferingNodeTypeMap(serviceOfferingNodeTypeMap);
-        Assert.assertNotNull(map);
-        Assert.assertEquals(2, map.size());
-        Assert.assertTrue(map.containsKey(WORKER.name()) && map.containsKey(CONTROL.name()));
-        Assert.assertEquals(workerOfferingId, map.get(WORKER.name()));
-        Assert.assertEquals(controlOfferingId, map.get(CONTROL.name()));
-    }
-
-    @Test
-    public void testNodeOfferingMapNullMap() {
-        Map<String, Long> map = helper.getServiceOfferingNodeTypeMap(null);
-        Assert.assertTrue(map.isEmpty());
-    }
-
-    @Test
-    public void testNodeOfferingMapEtcdNodes() {
-        Map<String, Map<String, String>> serviceOfferingNodeTypeMap = new HashMap<>();
-        Map<String, String> firstMap = createMapEntry(ETCD, etcdNodesOfferingId);
-        serviceOfferingNodeTypeMap.put("map1", firstMap);
-        Map<String, Long> map = helper.getServiceOfferingNodeTypeMap(serviceOfferingNodeTypeMap);
-        Assert.assertNotNull(map);
-        Assert.assertEquals(1, map.size());
-        Assert.assertTrue(map.containsKey(ETCD.name()));
-        Assert.assertEquals(etcdOfferingId, map.get(ETCD.name()));
-    }
-
-    @Test(expected = InvalidParameterValueException.class)
-    public void testCheckNodeTypeOfferingEntryCompletenessInvalidParameters() {
-        helper.checkNodeTypeOfferingEntryCompleteness(WORKER.name(), null);
-    }
-
-    @Test(expected = InvalidParameterValueException.class)
-    public void testCheckNodeTypeOfferingEntryValuesInvalidNodeType() {
-        String invalidNodeType = "invalidNodeTypeName";
-        helper.checkNodeTypeOfferingEntryValues(invalidNodeType, workerServiceOffering, workerNodesOfferingId);
-    }
-
-    @Test(expected = InvalidParameterValueException.class)
-    public void testCheckNodeTypeOfferingEntryValuesEmptyOffering() {
-        String nodeType = WORKER.name();
-        helper.checkNodeTypeOfferingEntryValues(nodeType, null, workerNodesOfferingId);
-    }
-}
diff --git a/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImplTest.java b/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImplTest.java
index 2a381f282de..71949459c86 100644
--- a/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImplTest.java
+++ b/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImplTest.java
@@ -26,6 +26,7 @@ import com.cloud.dc.DataCenter;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.kubernetes.cluster.actionworkers.KubernetesClusterActionWorker;
+import com.cloud.kubernetes.cluster.dao.KubernetesClusterAffinityGroupMapDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterVmMapDao;
 import com.cloud.kubernetes.version.KubernetesSupportedVersion;
@@ -46,9 +47,14 @@ import com.cloud.utils.Pair;
 import com.cloud.utils.net.NetUtils;
 import com.cloud.vm.VMInstanceVO;
 import com.cloud.vm.dao.VMInstanceDao;
+import com.cloud.host.HostVO;
+import com.cloud.host.dao.HostDao;
+import org.apache.cloudstack.affinity.AffinityGroupVO;
+import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.AddVirtualMachinesToKubernetesClusterCmd;
 import org.apache.cloudstack.api.command.user.kubernetes.cluster.RemoveVirtualMachinesFromKubernetesClusterCmd;
+import org.apache.cloudstack.api.response.KubernetesClusterResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.commons.collections.MapUtils;
@@ -103,6 +109,15 @@ public class KubernetesClusterManagerImplTest {
     @Mock
     private ServiceOfferingDao serviceOfferingDao;
 
+    @Mock
+    private KubernetesClusterAffinityGroupMapDao kubernetesClusterAffinityGroupMapDao;
+
+    @Mock
+    private AffinityGroupDao affinityGroupDao;
+
+    @Mock
+    private HostDao hostDao;
+
     @Spy
     @InjectMocks
     KubernetesClusterManagerImpl kubernetesClusterManager;
@@ -441,4 +456,462 @@ public class KubernetesClusterManagerImplTest {
         String cksClusterPreferredArch = kubernetesClusterManager.getCksClusterPreferredArch(systemVMArch, cksIso);
         Assert.assertEquals(CPU.CPUArch.amd64.getType(), cksClusterPreferredArch);
     }
+
+    @Test
+    public void testSetAffinityGroupResponseForNodeTypeControl() {
+        KubernetesClusterResponse response = new KubernetesClusterResponse();
+        long clusterId = 1L;
+
+        AffinityGroupVO ag1 = Mockito.mock(AffinityGroupVO.class);
+        AffinityGroupVO ag2 = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(ag1.getUuid()).thenReturn("uuid-1");
+        Mockito.when(ag1.getName()).thenReturn("affinity-group-1");
+        Mockito.when(ag2.getUuid()).thenReturn("uuid-2");
+        Mockito.when(ag2.getName()).thenReturn("affinity-group-2");
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(clusterId, CONTROL.name()))
+            .thenReturn(Arrays.asList(1L, 2L));
+        Mockito.when(affinityGroupDao.findById(1L)).thenReturn(ag1);
+        Mockito.when(affinityGroupDao.findById(2L)).thenReturn(ag2);
+
+        kubernetesClusterManager.setAffinityGroupResponseForNodeType(response, clusterId, CONTROL.name());
+
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(clusterId, CONTROL.name());
+        Mockito.verify(affinityGroupDao).findById(1L);
+        Mockito.verify(affinityGroupDao).findById(2L);
+    }
+
+    @Test
+    public void testSetAffinityGroupResponseForNodeTypeWorker() {
+        KubernetesClusterResponse response = new KubernetesClusterResponse();
+        long clusterId = 1L;
+
+        AffinityGroupVO ag = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(ag.getUuid()).thenReturn("worker-uuid");
+        Mockito.when(ag.getName()).thenReturn("worker-affinity");
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(clusterId, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(ag);
+
+        kubernetesClusterManager.setAffinityGroupResponseForNodeType(response, clusterId, WORKER.name());
+
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(clusterId, WORKER.name());
+        Mockito.verify(affinityGroupDao).findById(10L);
+    }
+
+    @Test
+    public void testSetAffinityGroupResponseForNodeTypeEtcd() {
+        KubernetesClusterResponse response = new KubernetesClusterResponse();
+        long clusterId = 1L;
+
+        AffinityGroupVO ag = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(ag.getUuid()).thenReturn("etcd-uuid");
+        Mockito.when(ag.getName()).thenReturn("etcd-affinity");
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(clusterId, ETCD.name()))
+            .thenReturn(Arrays.asList(20L));
+        Mockito.when(affinityGroupDao.findById(20L)).thenReturn(ag);
+
+        kubernetesClusterManager.setAffinityGroupResponseForNodeType(response, clusterId, ETCD.name());
+
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(clusterId, ETCD.name());
+        Mockito.verify(affinityGroupDao).findById(20L);
+    }
+
+    @Test
+    public void testSetAffinityGroupResponseForNodeTypeEmptyList() {
+        KubernetesClusterResponse response = new KubernetesClusterResponse();
+        long clusterId = 1L;
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(clusterId, CONTROL.name()))
+            .thenReturn(Collections.emptyList());
+
+        kubernetesClusterManager.setAffinityGroupResponseForNodeType(response, clusterId, CONTROL.name());
+
+        Mockito.verify(affinityGroupDao, Mockito.never()).findById(Mockito.anyLong());
+    }
+
+    @Test
+    public void testSetAffinityGroupResponseForNodeTypeNullList() {
+        KubernetesClusterResponse response = new KubernetesClusterResponse();
+        long clusterId = 1L;
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(clusterId, ETCD.name()))
+            .thenReturn(null);
+
+        kubernetesClusterManager.setAffinityGroupResponseForNodeType(response, clusterId, ETCD.name());
+
+        Mockito.verify(affinityGroupDao, Mockito.never()).findById(Mockito.anyLong());
+    }
+
+    @Test
+    public void testSetAffinityGroupResponseForNodeTypeNullAffinityGroup() {
+        KubernetesClusterResponse response = new KubernetesClusterResponse();
+        long clusterId = 1L;
+
+        AffinityGroupVO ag1 = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(ag1.getUuid()).thenReturn("uuid-1");
+        Mockito.when(ag1.getName()).thenReturn("affinity-group-1");
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(clusterId, CONTROL.name()))
+            .thenReturn(Arrays.asList(1L, 2L));
+        Mockito.when(affinityGroupDao.findById(1L)).thenReturn(ag1);
+        Mockito.when(affinityGroupDao.findById(2L)).thenReturn(null);
+
+        kubernetesClusterManager.setAffinityGroupResponseForNodeType(response, clusterId, CONTROL.name());
+
+        Mockito.verify(affinityGroupDao).findById(1L);
+        Mockito.verify(affinityGroupDao).findById(2L);
+    }
+
+    @Test
+    public void testSetNodeTypeAffinityGroupResponse() {
+        KubernetesClusterResponse response = new KubernetesClusterResponse();
+        long clusterId = 1L;
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(Mockito.eq(clusterId), Mockito.anyString()))
+            .thenReturn(Collections.emptyList());
+
+        kubernetesClusterManager.setNodeTypeAffinityGroupResponse(response, clusterId);
+
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(clusterId, CONTROL.name());
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(clusterId, WORKER.name());
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(clusterId, ETCD.name());
+    }
+
+    @Test
+    public void testValidateNodeAffinityGroupsNoAffinityGroups() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        List<Long> nodeIds = Arrays.asList(100L, 101L);
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Collections.emptyList());
+
+        kubernetesClusterManager.validateNodeAffinityGroups(nodeIds, cluster);
+
+        Mockito.verify(kubernetesClusterVmMapDao, Mockito.never()).listByClusterIdAndVmType(Mockito.anyLong(), Mockito.any());
+    }
+
+    @Test
+    public void testValidateNodeAffinityGroupsNullAffinityGroups() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        List<Long> nodeIds = Arrays.asList(100L, 101L);
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(null);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(nodeIds, cluster);
+
+        Mockito.verify(kubernetesClusterVmMapDao, Mockito.never()).listByClusterIdAndVmType(Mockito.anyLong(), Mockito.any());
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testValidateNodeAffinityGroupsAntiAffinityNewNodeOnExistingHost() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        Mockito.when(cluster.getName()).thenReturn("test-cluster");
+
+        Long newNodeId = 100L;
+        Long existingWorkerVmId = 200L;
+        Long sharedHostId = 1000L;
+
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup.getType()).thenReturn("host anti-affinity");
+        Mockito.when(affinityGroup.getName()).thenReturn("anti-affinity-group");
+
+        VMInstanceVO newNode = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode.getHostId()).thenReturn(sharedHostId);
+        Mockito.when(newNode.getInstanceName()).thenReturn("new-node-vm");
+
+        VMInstanceVO existingWorkerVm = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(existingWorkerVm.getHostId()).thenReturn(sharedHostId);
+
+        KubernetesClusterVmMapVO workerVmMap = Mockito.mock(KubernetesClusterVmMapVO.class);
+        Mockito.when(workerVmMap.getVmId()).thenReturn(existingWorkerVmId);
+
+        HostVO host = Mockito.mock(HostVO.class);
+        Mockito.when(host.getName()).thenReturn("host-1");
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(affinityGroup);
+        Mockito.when(kubernetesClusterVmMapDao.listByClusterIdAndVmType(1L, WORKER))
+            .thenReturn(Arrays.asList(workerVmMap));
+        Mockito.when(vmInstanceDao.findById(existingWorkerVmId)).thenReturn(existingWorkerVm);
+        Mockito.when(vmInstanceDao.findById(newNodeId)).thenReturn(newNode);
+        Mockito.when(hostDao.findById(sharedHostId)).thenReturn(host);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(Arrays.asList(newNodeId), cluster);
+    }
+
+    @Test
+    public void testValidateNodeAffinityGroupsAntiAffinityNewNodeOnDifferentHost() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        Mockito.lenient().when(cluster.getName()).thenReturn("test-cluster");
+
+        Long newNodeId = 100L;
+        Long existingWorkerVmId = 200L;
+        Long existingHostId = 1000L;
+        Long newNodeHostId = 1001L;
+
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup.getType()).thenReturn("host anti-affinity");
+        Mockito.lenient().when(affinityGroup.getName()).thenReturn("anti-affinity-group");
+
+        VMInstanceVO newNode = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode.getHostId()).thenReturn(newNodeHostId);
+
+        VMInstanceVO existingWorkerVm = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(existingWorkerVm.getHostId()).thenReturn(existingHostId);
+
+        KubernetesClusterVmMapVO workerVmMap = Mockito.mock(KubernetesClusterVmMapVO.class);
+        Mockito.when(workerVmMap.getVmId()).thenReturn(existingWorkerVmId);
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(affinityGroup);
+        Mockito.when(kubernetesClusterVmMapDao.listByClusterIdAndVmType(1L, WORKER))
+            .thenReturn(Arrays.asList(workerVmMap));
+        Mockito.when(vmInstanceDao.findById(existingWorkerVmId)).thenReturn(existingWorkerVm);
+        Mockito.when(vmInstanceDao.findById(newNodeId)).thenReturn(newNode);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(Arrays.asList(newNodeId), cluster);
+
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name());
+    }
+
+    @Test
+    public void testValidateNodeAffinityGroupsAffinityNewNodeOnSameHost() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        Mockito.lenient().when(cluster.getName()).thenReturn("test-cluster");
+
+        Long newNodeId = 100L;
+        Long existingWorkerVmId = 200L;
+        Long sharedHostId = 1000L;
+
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup.getType()).thenReturn("host affinity");
+        Mockito.lenient().when(affinityGroup.getName()).thenReturn("affinity-group");
+
+        VMInstanceVO newNode = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode.getHostId()).thenReturn(sharedHostId);
+
+        VMInstanceVO existingWorkerVm = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(existingWorkerVm.getHostId()).thenReturn(sharedHostId);
+
+        KubernetesClusterVmMapVO workerVmMap = Mockito.mock(KubernetesClusterVmMapVO.class);
+        Mockito.when(workerVmMap.getVmId()).thenReturn(existingWorkerVmId);
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(affinityGroup);
+        Mockito.when(kubernetesClusterVmMapDao.listByClusterIdAndVmType(1L, WORKER))
+            .thenReturn(Arrays.asList(workerVmMap));
+        Mockito.when(vmInstanceDao.findById(existingWorkerVmId)).thenReturn(existingWorkerVm);
+        Mockito.when(vmInstanceDao.findById(newNodeId)).thenReturn(newNode);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(Arrays.asList(newNodeId), cluster);
+
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name());
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testValidateNodeAffinityGroupsAffinityNewNodeOnDifferentHost() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        Mockito.when(cluster.getName()).thenReturn("test-cluster");
+
+        Long newNodeId = 100L;
+        Long existingWorkerVmId = 200L;
+        Long existingHostId = 1000L;
+        Long newNodeHostId = 1001L;
+
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup.getType()).thenReturn("host affinity");
+        Mockito.when(affinityGroup.getName()).thenReturn("affinity-group");
+
+        VMInstanceVO newNode = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode.getHostId()).thenReturn(newNodeHostId);
+        Mockito.when(newNode.getInstanceName()).thenReturn("new-node-vm");
+
+        VMInstanceVO existingWorkerVm = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(existingWorkerVm.getHostId()).thenReturn(existingHostId);
+
+        KubernetesClusterVmMapVO workerVmMap = Mockito.mock(KubernetesClusterVmMapVO.class);
+        Mockito.when(workerVmMap.getVmId()).thenReturn(existingWorkerVmId);
+
+        HostVO newHost = Mockito.mock(HostVO.class);
+        Mockito.when(newHost.getName()).thenReturn("host-2");
+
+        HostVO existingHost = Mockito.mock(HostVO.class);
+        Mockito.when(existingHost.getName()).thenReturn("host-1");
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(affinityGroup);
+        Mockito.when(kubernetesClusterVmMapDao.listByClusterIdAndVmType(1L, WORKER))
+            .thenReturn(Arrays.asList(workerVmMap));
+        Mockito.when(vmInstanceDao.findById(existingWorkerVmId)).thenReturn(existingWorkerVm);
+        Mockito.when(vmInstanceDao.findById(newNodeId)).thenReturn(newNode);
+        Mockito.when(hostDao.findById(newNodeHostId)).thenReturn(newHost);
+        Mockito.when(hostDao.findById(existingHostId)).thenReturn(existingHost);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(Arrays.asList(newNodeId), cluster);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testValidateNodeAffinityGroupsAntiAffinityMultipleNewNodesOnSameHost() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        Mockito.when(cluster.getName()).thenReturn("test-cluster");
+
+        Long newNodeId1 = 100L;
+        Long newNodeId2 = 101L;
+        Long sharedHostId = 1000L;
+
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.lenient().when(affinityGroup.getType()).thenReturn("host anti-affinity");
+        Mockito.when(affinityGroup.getName()).thenReturn("anti-affinity-group");
+
+        VMInstanceVO newNode1 = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode1.getHostId()).thenReturn(sharedHostId);
+        Mockito.lenient().when(newNode1.getInstanceName()).thenReturn("new-node-vm-1");
+
+        VMInstanceVO newNode2 = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode2.getHostId()).thenReturn(sharedHostId);
+        Mockito.when(newNode2.getInstanceName()).thenReturn("new-node-vm-2");
+
+        HostVO host = Mockito.mock(HostVO.class);
+        Mockito.when(host.getName()).thenReturn("host-1");
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(affinityGroup);
+        Mockito.when(kubernetesClusterVmMapDao.listByClusterIdAndVmType(1L, WORKER))
+            .thenReturn(Collections.emptyList());
+        Mockito.when(vmInstanceDao.findById(newNodeId1)).thenReturn(newNode1);
+        Mockito.when(vmInstanceDao.findById(newNodeId2)).thenReturn(newNode2);
+        Mockito.when(hostDao.findById(sharedHostId)).thenReturn(host);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(Arrays.asList(newNodeId1, newNodeId2), cluster);
+    }
+
+    @Test
+    public void testValidateNodeAffinityGroupsAntiAffinityMultipleNewNodesOnDifferentHosts() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        Mockito.lenient().when(cluster.getName()).thenReturn("test-cluster");
+
+        Long newNodeId1 = 100L;
+        Long newNodeId2 = 101L;
+        Long hostId1 = 1000L;
+        Long hostId2 = 1001L;
+
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.lenient().when(affinityGroup.getType()).thenReturn("host anti-affinity");
+        Mockito.lenient().when(affinityGroup.getName()).thenReturn("anti-affinity-group");
+
+        VMInstanceVO newNode1 = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode1.getHostId()).thenReturn(hostId1);
+
+        VMInstanceVO newNode2 = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode2.getHostId()).thenReturn(hostId2);
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(affinityGroup);
+        Mockito.when(kubernetesClusterVmMapDao.listByClusterIdAndVmType(1L, WORKER))
+            .thenReturn(Collections.emptyList());
+        Mockito.when(vmInstanceDao.findById(newNodeId1)).thenReturn(newNode1);
+        Mockito.when(vmInstanceDao.findById(newNodeId2)).thenReturn(newNode2);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(Arrays.asList(newNodeId1, newNodeId2), cluster);
+
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name());
+    }
+
+    @Test
+    public void testValidateNodeAffinityGroupsNodeWithNullHost() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        Mockito.lenient().when(cluster.getName()).thenReturn("test-cluster");
+
+        Long newNodeId = 100L;
+
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.lenient().when(affinityGroup.getType()).thenReturn("host anti-affinity");
+        Mockito.lenient().when(affinityGroup.getName()).thenReturn("anti-affinity-group");
+
+        VMInstanceVO newNode = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode.getHostId()).thenReturn(null);
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(affinityGroup);
+        Mockito.when(kubernetesClusterVmMapDao.listByClusterIdAndVmType(1L, WORKER))
+            .thenReturn(Collections.emptyList());
+        Mockito.when(vmInstanceDao.findById(newNodeId)).thenReturn(newNode);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(Arrays.asList(newNodeId), cluster);
+
+        Mockito.verify(vmInstanceDao, Mockito.atLeastOnce()).findById(newNodeId);
+    }
+
+    @Test
+    public void testValidateNodeAffinityGroupsNullNode() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        Mockito.lenient().when(cluster.getName()).thenReturn("test-cluster");
+
+        Long newNodeId = 100L;
+
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.lenient().when(affinityGroup.getType()).thenReturn("host anti-affinity");
+        Mockito.lenient().when(affinityGroup.getName()).thenReturn("anti-affinity-group");
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(affinityGroup);
+        Mockito.when(kubernetesClusterVmMapDao.listByClusterIdAndVmType(1L, WORKER))
+            .thenReturn(Collections.emptyList());
+        Mockito.when(vmInstanceDao.findById(newNodeId)).thenReturn(null);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(Arrays.asList(newNodeId), cluster);
+
+        Mockito.verify(vmInstanceDao, Mockito.atLeastOnce()).findById(newNodeId);
+    }
+
+    @Test
+    public void testValidateNodeAffinityGroupsAffinityNoExistingWorkers() {
+        KubernetesCluster cluster = Mockito.mock(KubernetesCluster.class);
+        Mockito.when(cluster.getId()).thenReturn(1L);
+        Mockito.lenient().when(cluster.getName()).thenReturn("test-cluster");
+
+        Long newNodeId = 100L;
+        Long newNodeHostId = 1000L;
+
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.lenient().when(affinityGroup.getType()).thenReturn("host affinity");
+        Mockito.lenient().when(affinityGroup.getName()).thenReturn("affinity-group");
+
+        VMInstanceVO newNode = Mockito.mock(VMInstanceVO.class);
+        Mockito.when(newNode.getHostId()).thenReturn(newNodeHostId);
+
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name()))
+            .thenReturn(Arrays.asList(10L));
+        Mockito.when(affinityGroupDao.findById(10L)).thenReturn(affinityGroup);
+        Mockito.when(kubernetesClusterVmMapDao.listByClusterIdAndVmType(1L, WORKER))
+            .thenReturn(Collections.emptyList());
+        Mockito.when(vmInstanceDao.findById(newNodeId)).thenReturn(newNode);
+
+        kubernetesClusterManager.validateNodeAffinityGroups(Arrays.asList(newNodeId), cluster);
+
+        Mockito.verify(kubernetesClusterAffinityGroupMapDao).listAffinityGroupIdsByClusterIdAndNodeType(1L, WORKER.name());
+    }
+
 }
diff --git a/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesServiceHelperImplTest.java b/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesServiceHelperImplTest.java
index 3e6688e8757..3994cadc307 100644
--- a/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesServiceHelperImplTest.java
+++ b/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/KubernetesServiceHelperImplTest.java
@@ -17,6 +17,15 @@
 package com.cloud.kubernetes.cluster;
 
 
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+import org.apache.cloudstack.affinity.AffinityGroupVO;
+import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
+import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
@@ -24,11 +33,16 @@ import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.junit.MockitoJUnitRunner;
 
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.kubernetes.cluster.KubernetesServiceHelper.KubernetesClusterNodeType;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterVmMapDao;
+import com.cloud.service.ServiceOfferingVO;
+import com.cloud.service.dao.ServiceOfferingDao;
 import com.cloud.uservm.UserVm;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.vm.UserVmManager;
+import com.cloud.vm.VmDetailConstants;
 
 @RunWith(MockitoJUnitRunner.class)
 public class KubernetesServiceHelperImplTest {
@@ -36,6 +50,10 @@ public class KubernetesServiceHelperImplTest {
     KubernetesClusterVmMapDao kubernetesClusterVmMapDao;
     @Mock
     KubernetesClusterDao kubernetesClusterDao;
+    @Mock
+    AffinityGroupDao affinityGroupDao;
+    @Mock
+    ServiceOfferingDao serviceOfferingDao;
 
     @InjectMocks
     KubernetesServiceHelperImpl kubernetesServiceHelper = new KubernetesServiceHelperImpl();
@@ -84,4 +102,302 @@ public class KubernetesServiceHelperImplTest {
         Mockito.when(kubernetesCluster.getClusterType()).thenReturn(KubernetesCluster.ClusterType.ExternalManaged);
         kubernetesServiceHelper.checkVmCanBeDestroyed(vm);
     }
+
+    @Test
+    public void testIsValidNodeTypeEmptyNodeType() {
+        Assert.assertFalse(kubernetesServiceHelper.isValidNodeType(null));
+    }
+
+    @Test
+    public void testIsValidNodeTypeInvalidNodeType() {
+        Assert.assertFalse(kubernetesServiceHelper.isValidNodeType("invalidNodeType"));
+    }
+
+    @Test
+    public void testIsValidNodeTypeValidNodeTypeLowercase() {
+        String nodeType = KubernetesClusterNodeType.WORKER.name().toLowerCase();
+        Assert.assertTrue(kubernetesServiceHelper.isValidNodeType(nodeType));
+    }
+
+    private Map<String, String> createServiceOfferingMapEntry(KubernetesClusterNodeType nodeType, String offeringUuid) {
+        Map<String, String> map = new HashMap<>();
+        map.put(VmDetailConstants.CKS_NODE_TYPE, nodeType.name().toLowerCase());
+        map.put(VmDetailConstants.OFFERING, offeringUuid);
+        return map;
+    }
+
+    @Test
+    public void testGetServiceOfferingNodeTypeMap() {
+        String workerOfferingUuid = UUID.randomUUID().toString();
+        String controlOfferingUuid = UUID.randomUUID().toString();
+
+        ServiceOfferingVO workerOffering = Mockito.mock(ServiceOfferingVO.class);
+        Mockito.when(workerOffering.getId()).thenReturn(1L);
+        Mockito.when(serviceOfferingDao.findByUuid(workerOfferingUuid)).thenReturn(workerOffering);
+
+        ServiceOfferingVO controlOffering = Mockito.mock(ServiceOfferingVO.class);
+        Mockito.when(controlOffering.getId()).thenReturn(2L);
+        Mockito.when(serviceOfferingDao.findByUuid(controlOfferingUuid)).thenReturn(controlOffering);
+
+        Map<String, Map<String, String>> serviceOfferingNodeTypeMap = new HashMap<>();
+        serviceOfferingNodeTypeMap.put("map1", createServiceOfferingMapEntry(KubernetesClusterNodeType.WORKER, workerOfferingUuid));
+        serviceOfferingNodeTypeMap.put("map2", createServiceOfferingMapEntry(KubernetesClusterNodeType.CONTROL, controlOfferingUuid));
+
+        Map<String, Long> result = kubernetesServiceHelper.getServiceOfferingNodeTypeMap(serviceOfferingNodeTypeMap);
+
+        Assert.assertNotNull(result);
+        Assert.assertEquals(2, result.size());
+        Assert.assertTrue(result.containsKey(KubernetesClusterNodeType.WORKER.name()));
+        Assert.assertTrue(result.containsKey(KubernetesClusterNodeType.CONTROL.name()));
+        Assert.assertEquals(Long.valueOf(1L), result.get(KubernetesClusterNodeType.WORKER.name()));
+        Assert.assertEquals(Long.valueOf(2L), result.get(KubernetesClusterNodeType.CONTROL.name()));
+    }
+
+    @Test
+    public void testGetServiceOfferingNodeTypeMapNullMap() {
+        Map<String, Long> result = kubernetesServiceHelper.getServiceOfferingNodeTypeMap(null);
+        Assert.assertTrue(result.isEmpty());
+    }
+
+    @Test
+    public void testGetServiceOfferingNodeTypeMapEtcdNodes() {
+        String etcdOfferingUuid = UUID.randomUUID().toString();
+
+        ServiceOfferingVO etcdOffering = Mockito.mock(ServiceOfferingVO.class);
+        Mockito.when(etcdOffering.getId()).thenReturn(3L);
+        Mockito.when(serviceOfferingDao.findByUuid(etcdOfferingUuid)).thenReturn(etcdOffering);
+
+        Map<String, Map<String, String>> serviceOfferingNodeTypeMap = new HashMap<>();
+        serviceOfferingNodeTypeMap.put("map1", createServiceOfferingMapEntry(KubernetesClusterNodeType.ETCD, etcdOfferingUuid));
+
+        Map<String, Long> result = kubernetesServiceHelper.getServiceOfferingNodeTypeMap(serviceOfferingNodeTypeMap);
+
+        Assert.assertNotNull(result);
+        Assert.assertEquals(1, result.size());
+        Assert.assertTrue(result.containsKey(KubernetesClusterNodeType.ETCD.name()));
+        Assert.assertEquals(Long.valueOf(3L), result.get(KubernetesClusterNodeType.ETCD.name()));
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCheckNodeTypeOfferingEntryCompletenessInvalidParameters() {
+        kubernetesServiceHelper.checkNodeTypeOfferingEntryCompleteness(KubernetesClusterNodeType.WORKER.name(), null);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCheckNodeTypeOfferingEntryValuesInvalidNodeType() {
+        ServiceOfferingVO offering = Mockito.mock(ServiceOfferingVO.class);
+        kubernetesServiceHelper.checkNodeTypeOfferingEntryValues("invalidNodeTypeName", offering, "some-uuid");
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCheckNodeTypeOfferingEntryValuesEmptyOffering() {
+        kubernetesServiceHelper.checkNodeTypeOfferingEntryValues(KubernetesClusterNodeType.WORKER.name(), null, "some-uuid");
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCheckNodeTypeAffinityGroupEntryCompletenessBlankNodeType() {
+        kubernetesServiceHelper.checkNodeTypeAffinityGroupEntryCompleteness("", "affinity-group-uuid");
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCheckNodeTypeAffinityGroupEntryCompletenessBlankAffinityGroupUuid() {
+        kubernetesServiceHelper.checkNodeTypeAffinityGroupEntryCompleteness("control", "");
+    }
+
+    @Test
+    public void testCheckNodeTypeAffinityGroupEntryCompletenessValid() {
+        kubernetesServiceHelper.checkNodeTypeAffinityGroupEntryCompleteness("control", "affinity-group-uuid");
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCheckNodeTypeAffinityGroupEntryNodeTypeInvalid() {
+        kubernetesServiceHelper.checkNodeTypeAffinityGroupEntryNodeType("invalid-node-type");
+    }
+
+    @Test
+    public void testCheckNodeTypeAffinityGroupEntryNodeTypeValid() {
+        kubernetesServiceHelper.checkNodeTypeAffinityGroupEntryNodeType("control");
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testValidateAffinityGroupUuidAndGetIdBlank() {
+        kubernetesServiceHelper.validateAffinityGroupUuidAndGetId("");
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testValidateAffinityGroupUuidAndGetIdNotFound() {
+        Mockito.when(affinityGroupDao.findByUuid("non-existent-uuid")).thenReturn(null);
+        kubernetesServiceHelper.validateAffinityGroupUuidAndGetId("non-existent-uuid");
+    }
+
+    @Test
+    public void testValidateAffinityGroupUuidAndGetIdValid() {
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup.getId()).thenReturn(100L);
+        Mockito.when(affinityGroupDao.findByUuid("valid-uuid")).thenReturn(affinityGroup);
+        Long result = kubernetesServiceHelper.validateAffinityGroupUuidAndGetId("valid-uuid");
+        Assert.assertEquals(Long.valueOf(100L), result);
+    }
+
+    @Test
+    public void testValidateAndGetAffinityGroupIdsSingleUuid() {
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup.getId()).thenReturn(1L);
+        Mockito.when(affinityGroupDao.findByUuid("uuid1")).thenReturn(affinityGroup);
+
+        List<Long> result = kubernetesServiceHelper.validateAndGetAffinityGroupIds("uuid1");
+        Assert.assertEquals(1, result.size());
+        Assert.assertEquals(Long.valueOf(1L), result.get(0));
+    }
+
+    @Test
+    public void testValidateAndGetAffinityGroupIdsMultipleUuids() {
+        AffinityGroupVO affinityGroup1 = Mockito.mock(AffinityGroupVO.class);
+        AffinityGroupVO affinityGroup2 = Mockito.mock(AffinityGroupVO.class);
+        AffinityGroupVO affinityGroup3 = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup1.getId()).thenReturn(1L);
+        Mockito.when(affinityGroup2.getId()).thenReturn(2L);
+        Mockito.when(affinityGroup3.getId()).thenReturn(3L);
+        Mockito.when(affinityGroupDao.findByUuid("uuid1")).thenReturn(affinityGroup1);
+        Mockito.when(affinityGroupDao.findByUuid("uuid2")).thenReturn(affinityGroup2);
+        Mockito.when(affinityGroupDao.findByUuid("uuid3")).thenReturn(affinityGroup3);
+
+        List<Long> result = kubernetesServiceHelper.validateAndGetAffinityGroupIds("uuid1,uuid2,uuid3");
+        Assert.assertEquals(3, result.size());
+        Assert.assertEquals(Arrays.asList(1L, 2L, 3L), result);
+    }
+
+    @Test
+    public void testValidateAndGetAffinityGroupIdsWithSpaces() {
+        AffinityGroupVO affinityGroup1 = Mockito.mock(AffinityGroupVO.class);
+        AffinityGroupVO affinityGroup2 = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup1.getId()).thenReturn(1L);
+        Mockito.when(affinityGroup2.getId()).thenReturn(2L);
+        Mockito.when(affinityGroupDao.findByUuid("uuid1")).thenReturn(affinityGroup1);
+        Mockito.when(affinityGroupDao.findByUuid("uuid2")).thenReturn(affinityGroup2);
+
+        List<Long> result = kubernetesServiceHelper.validateAndGetAffinityGroupIds("  uuid1  ,  uuid2  ");
+        Assert.assertEquals(2, result.size());
+        Assert.assertEquals(Arrays.asList(1L, 2L), result);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testValidateAndGetAffinityGroupIdsOneInvalid() {
+        AffinityGroupVO affinityGroup1 = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroupDao.findByUuid("uuid1")).thenReturn(affinityGroup1);
+        Mockito.when(affinityGroupDao.findByUuid("invalid-uuid")).thenReturn(null);
+
+        kubernetesServiceHelper.validateAndGetAffinityGroupIds("uuid1,invalid-uuid");
+    }
+
+    @Test
+    public void testAddNodeTypeAffinityGroupEntry() {
+        Map<String, List<Long>> mapping = new HashMap<>();
+        kubernetesServiceHelper.addNodeTypeAffinityGroupEntry("control", Arrays.asList(1L, 2L), mapping);
+        Assert.assertEquals(1, mapping.size());
+        Assert.assertEquals(Arrays.asList(1L, 2L), mapping.get("CONTROL"));
+    }
+
+    @Test
+    public void testProcessNodeTypeAffinityGroupEntryAndAddToMappingIfValidEmptyEntry() {
+        Map<String, List<Long>> mapping = new HashMap<>();
+        kubernetesServiceHelper.processNodeTypeAffinityGroupEntryAndAddToMappingIfValid(new HashMap<>(), mapping);
+        Assert.assertTrue(mapping.isEmpty());
+    }
+
+    @Test
+    public void testProcessNodeTypeAffinityGroupEntryAndAddToMappingIfValidValidEntry() {
+        AffinityGroupVO affinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup.getId()).thenReturn(100L);
+        Mockito.when(affinityGroupDao.findByUuid("affinity-group-uuid")).thenReturn(affinityGroup);
+
+        Map<String, String> entry = new HashMap<>();
+        entry.put(VmDetailConstants.CKS_NODE_TYPE, "control");
+        entry.put(VmDetailConstants.AFFINITY_GROUP, "affinity-group-uuid");
+
+        Map<String, List<Long>> mapping = new HashMap<>();
+        kubernetesServiceHelper.processNodeTypeAffinityGroupEntryAndAddToMappingIfValid(entry, mapping);
+        Assert.assertEquals(1, mapping.size());
+        Assert.assertEquals(Arrays.asList(100L), mapping.get("CONTROL"));
+    }
+
+    @Test
+    public void testProcessNodeTypeAffinityGroupEntryAndAddToMappingIfValidMultipleUuids() {
+        AffinityGroupVO affinityGroup1 = Mockito.mock(AffinityGroupVO.class);
+        AffinityGroupVO affinityGroup2 = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(affinityGroup1.getId()).thenReturn(1L);
+        Mockito.when(affinityGroup2.getId()).thenReturn(2L);
+        Mockito.when(affinityGroupDao.findByUuid("uuid1")).thenReturn(affinityGroup1);
+        Mockito.when(affinityGroupDao.findByUuid("uuid2")).thenReturn(affinityGroup2);
+
+        Map<String, String> entry = new HashMap<>();
+        entry.put(VmDetailConstants.CKS_NODE_TYPE, "worker");
+        entry.put(VmDetailConstants.AFFINITY_GROUP, "uuid1,uuid2");
+
+        Map<String, List<Long>> mapping = new HashMap<>();
+        kubernetesServiceHelper.processNodeTypeAffinityGroupEntryAndAddToMappingIfValid(entry, mapping);
+        Assert.assertEquals(1, mapping.size());
+        Assert.assertEquals(Arrays.asList(1L, 2L), mapping.get("WORKER"));
+    }
+
+    @Test
+    public void testGetAffinityGroupNodeTypeMapEmptyMap() {
+        Map<String, List<Long>> result = kubernetesServiceHelper.getAffinityGroupNodeTypeMap(null);
+        Assert.assertTrue(result.isEmpty());
+
+        result = kubernetesServiceHelper.getAffinityGroupNodeTypeMap(new HashMap<>());
+        Assert.assertTrue(result.isEmpty());
+    }
+
+    @Test
+    public void testGetAffinityGroupNodeTypeMapValidEntries() {
+        AffinityGroupVO controlAffinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(controlAffinityGroup.getId()).thenReturn(100L);
+        Mockito.when(affinityGroupDao.findByUuid("control-affinity-uuid")).thenReturn(controlAffinityGroup);
+
+        AffinityGroupVO workerAffinityGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(workerAffinityGroup.getId()).thenReturn(200L);
+        Mockito.when(affinityGroupDao.findByUuid("worker-affinity-uuid")).thenReturn(workerAffinityGroup);
+
+        Map<String, Map<String, String>> affinityGroupNodeTypeMap = new HashMap<>();
+
+        Map<String, String> controlEntry = new HashMap<>();
+        controlEntry.put(VmDetailConstants.CKS_NODE_TYPE, "control");
+        controlEntry.put(VmDetailConstants.AFFINITY_GROUP, "control-affinity-uuid");
+        affinityGroupNodeTypeMap.put("0", controlEntry);
+
+        Map<String, String> workerEntry = new HashMap<>();
+        workerEntry.put(VmDetailConstants.CKS_NODE_TYPE, "worker");
+        workerEntry.put(VmDetailConstants.AFFINITY_GROUP, "worker-affinity-uuid");
+        affinityGroupNodeTypeMap.put("1", workerEntry);
+
+        Map<String, List<Long>> result = kubernetesServiceHelper.getAffinityGroupNodeTypeMap(affinityGroupNodeTypeMap);
+        Assert.assertEquals(2, result.size());
+        Assert.assertEquals(Arrays.asList(100L), result.get("CONTROL"));
+        Assert.assertEquals(Arrays.asList(200L), result.get("WORKER"));
+    }
+
+    @Test
+    public void testGetAffinityGroupNodeTypeMapMultipleIdsPerNodeType() {
+        AffinityGroupVO ag1 = Mockito.mock(AffinityGroupVO.class);
+        AffinityGroupVO ag2 = Mockito.mock(AffinityGroupVO.class);
+        AffinityGroupVO ag3 = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(ag1.getId()).thenReturn(1L);
+        Mockito.when(ag2.getId()).thenReturn(2L);
+        Mockito.when(ag3.getId()).thenReturn(3L);
+        Mockito.when(affinityGroupDao.findByUuid("ag1")).thenReturn(ag1);
+        Mockito.when(affinityGroupDao.findByUuid("ag2")).thenReturn(ag2);
+        Mockito.when(affinityGroupDao.findByUuid("ag3")).thenReturn(ag3);
+
+        Map<String, Map<String, String>> affinityGroupNodeTypeMap = new HashMap<>();
+
+        Map<String, String> controlEntry = new HashMap<>();
+        controlEntry.put(VmDetailConstants.CKS_NODE_TYPE, "control");
+        controlEntry.put(VmDetailConstants.AFFINITY_GROUP, "ag1,ag2,ag3");
+        affinityGroupNodeTypeMap.put("0", controlEntry);
+
+        Map<String, List<Long>> result = kubernetesServiceHelper.getAffinityGroupNodeTypeMap(affinityGroupNodeTypeMap);
+        Assert.assertEquals(1, result.size());
+        Assert.assertEquals(Arrays.asList(1L, 2L, 3L), result.get("CONTROL"));
+    }
 }
diff --git a/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterActionWorkerTest.java b/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterActionWorkerTest.java
index 1eb55808e09..a25ec55cc04 100644
--- a/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterActionWorkerTest.java
+++ b/plugins/integrations/kubernetes-service/src/test/java/com/cloud/kubernetes/cluster/actionworkers/KubernetesClusterActionWorkerTest.java
@@ -16,8 +16,14 @@
 // under the License.
 package com.cloud.kubernetes.cluster.actionworkers;
 
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 import java.util.UUID;
 
+import org.apache.cloudstack.affinity.AffinityGroupVO;
+import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
 import org.apache.cloudstack.api.ApiConstants;
 import org.junit.Assert;
 import org.junit.Before;
@@ -30,6 +36,8 @@ import org.mockito.junit.MockitoJUnitRunner;
 import com.cloud.kubernetes.cluster.KubernetesCluster;
 import com.cloud.kubernetes.cluster.KubernetesClusterDetailsVO;
 import com.cloud.kubernetes.cluster.KubernetesClusterManagerImpl;
+import com.cloud.kubernetes.cluster.KubernetesServiceHelper.KubernetesClusterNodeType;
+import com.cloud.kubernetes.cluster.dao.KubernetesClusterAffinityGroupMapDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterDetailsDao;
 import com.cloud.kubernetes.cluster.dao.KubernetesClusterVmMapDao;
@@ -60,6 +68,12 @@ public class KubernetesClusterActionWorkerTest {
     @Mock
     IPAddressDao ipAddressDao;
 
+    @Mock
+    KubernetesClusterAffinityGroupMapDao kubernetesClusterAffinityGroupMapDao;
+
+    @Mock
+    AffinityGroupDao affinityGroupDao;
+
     KubernetesClusterActionWorker actionWorker = null;
 
     final static Long DEFAULT_ID = 1L;
@@ -70,10 +84,12 @@ public class KubernetesClusterActionWorkerTest {
         kubernetesClusterManager.kubernetesSupportedVersionDao = kubernetesSupportedVersionDao;
         kubernetesClusterManager.kubernetesClusterDetailsDao = kubernetesClusterDetailsDao;
         kubernetesClusterManager.kubernetesClusterVmMapDao = kubernetesClusterVmMapDao;
+        kubernetesClusterManager.kubernetesClusterAffinityGroupMapDao = kubernetesClusterAffinityGroupMapDao;
         KubernetesCluster kubernetesCluster = Mockito.mock(KubernetesCluster.class);
         Mockito.when(kubernetesCluster.getId()).thenReturn(DEFAULT_ID);
         actionWorker = new KubernetesClusterActionWorker(kubernetesCluster, kubernetesClusterManager);
         actionWorker.ipAddressDao = ipAddressDao;
+        actionWorker.affinityGroupDao = affinityGroupDao;
     }
 
     @Test
@@ -130,4 +146,87 @@ public class KubernetesClusterActionWorkerTest {
         IpAddress result = actionWorker.getVpcTierKubernetesPublicIp(mockNetworkForGetVpcTierKubernetesPublicIpTest());
         Assert.assertNotNull(result);
     }
+
+    @Test
+    public void testGetAffinityGroupIdsForNodeTypeReturnsIds() {
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(DEFAULT_ID, "CONTROL"))
+            .thenReturn(Arrays.asList(1L, 2L));
+
+        List<Long> result = actionWorker.getAffinityGroupIdsForNodeType(KubernetesClusterNodeType.CONTROL);
+
+        Assert.assertEquals(2, result.size());
+        Assert.assertTrue(result.containsAll(Arrays.asList(1L, 2L)));
+    }
+
+    @Test
+    public void testGetAffinityGroupIdsForNodeTypeReturnsEmptyList() {
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(DEFAULT_ID, "WORKER"))
+            .thenReturn(Collections.emptyList());
+
+        List<Long> result = actionWorker.getAffinityGroupIdsForNodeType(KubernetesClusterNodeType.WORKER);
+
+        Assert.assertTrue(result.isEmpty());
+    }
+
+    @Test
+    public void testGetMergedAffinityGroupIdsWithExplicitDedication() {
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(DEFAULT_ID, "CONTROL"))
+            .thenReturn(new ArrayList<>(Arrays.asList(1L)));
+
+        AffinityGroupVO explicitGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(explicitGroup.getId()).thenReturn(99L);
+        Mockito.when(affinityGroupDao.findByAccountAndType(Mockito.anyLong(), Mockito.eq("ExplicitDedication")))
+            .thenReturn(explicitGroup);
+
+        List<Long> result = actionWorker.getMergedAffinityGroupIds(KubernetesClusterNodeType.CONTROL, 1L, 1L);
+
+        Assert.assertEquals(2, result.size());
+        Assert.assertTrue(result.contains(1L));
+        Assert.assertTrue(result.contains(99L));
+    }
+
+    @Test
+    public void testGetMergedAffinityGroupIdsNoExplicitDedication() {
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(DEFAULT_ID, "WORKER"))
+            .thenReturn(new ArrayList<>(Arrays.asList(1L, 2L)));
+        Mockito.when(affinityGroupDao.findByAccountAndType(Mockito.anyLong(), Mockito.eq("ExplicitDedication")))
+            .thenReturn(null);
+        Mockito.when(affinityGroupDao.findDomainLevelGroupByType(Mockito.anyLong(), Mockito.eq("ExplicitDedication")))
+            .thenReturn(null);
+
+        List<Long> result = actionWorker.getMergedAffinityGroupIds(KubernetesClusterNodeType.WORKER, 1L, 1L);
+
+        Assert.assertEquals(2, result.size());
+    }
+
+    @Test
+    public void testGetMergedAffinityGroupIdsReturnsNullWhenEmpty() {
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(DEFAULT_ID, "ETCD"))
+            .thenReturn(new ArrayList<>());
+        Mockito.when(affinityGroupDao.findByAccountAndType(Mockito.anyLong(), Mockito.anyString()))
+            .thenReturn(null);
+        Mockito.when(affinityGroupDao.findDomainLevelGroupByType(Mockito.anyLong(), Mockito.anyString()))
+            .thenReturn(null);
+
+        List<Long> result = actionWorker.getMergedAffinityGroupIds(KubernetesClusterNodeType.ETCD, 1L, 1L);
+
+        Assert.assertNull(result);
+    }
+
+    @Test
+    public void testGetMergedAffinityGroupIdsExplicitDedicationAlreadyInList() {
+        Mockito.when(kubernetesClusterAffinityGroupMapDao.listAffinityGroupIdsByClusterIdAndNodeType(DEFAULT_ID, "CONTROL"))
+            .thenReturn(new ArrayList<>(Arrays.asList(99L, 2L)));
+
+        AffinityGroupVO explicitGroup = Mockito.mock(AffinityGroupVO.class);
+        Mockito.when(explicitGroup.getId()).thenReturn(99L);
+        Mockito.when(affinityGroupDao.findByAccountAndType(Mockito.anyLong(), Mockito.eq("ExplicitDedication")))
+            .thenReturn(explicitGroup);
+
+        List<Long> result = actionWorker.getMergedAffinityGroupIds(KubernetesClusterNodeType.CONTROL, 1L, 1L);
+
+        Assert.assertEquals(2, result.size());
+        Assert.assertTrue(result.contains(99L));
+        Assert.assertTrue(result.contains(2L));
+    }
 }
diff --git a/plugins/network-elements/elastic-loadbalancer/src/main/java/com/cloud/network/lb/LoadBalanceRuleHandler.java b/plugins/network-elements/elastic-loadbalancer/src/main/java/com/cloud/network/lb/LoadBalanceRuleHandler.java
index 3df58470fc6..fc167b71c23 100644
--- a/plugins/network-elements/elastic-loadbalancer/src/main/java/com/cloud/network/lb/LoadBalanceRuleHandler.java
+++ b/plugins/network-elements/elastic-loadbalancer/src/main/java/com/cloud/network/lb/LoadBalanceRuleHandler.java
@@ -363,7 +363,7 @@ public class LoadBalanceRuleHandler {
             lb.setSourceIpAddressId(ipId);
 
             result = _lbMgr.createPublicLoadBalancer(lb.getXid(), lb.getName(), lb.getDescription(), lb.getSourcePortStart(), lb.getDefaultPortStart(), ipId.longValue(),
-                    lb.getProtocol(), lb.getAlgorithm(), false, CallContext.current(), lb.getLbProtocol(), true, null);
+                    lb.getProtocol(), lb.getAlgorithm(), false, CallContext.current(), lb.getLbProtocol(), true, null, networkId);
         } catch (final NetworkRuleConflictException e) {
             logger.warn("Failed to create LB rule, not continuing with ELB deployment");
             if (newIp) {
diff --git a/plugins/network-elements/juniper-contrail/src/main/java/org/apache/cloudstack/network/contrail/management/ContrailManagerImpl.java b/plugins/network-elements/juniper-contrail/src/main/java/org/apache/cloudstack/network/contrail/management/ContrailManagerImpl.java
index f360fab0112..8badb916eed 100644
--- a/plugins/network-elements/juniper-contrail/src/main/java/org/apache/cloudstack/network/contrail/management/ContrailManagerImpl.java
+++ b/plugins/network-elements/juniper-contrail/src/main/java/org/apache/cloudstack/network/contrail/management/ContrailManagerImpl.java
@@ -293,7 +293,7 @@ public class ContrailManagerImpl extends ManagerBase implements ContrailManager
             }
             serviceProviderMap.put(svc, providerSet);
         }
-        vpcOffer = _vpcProvSvc.createVpcOffering(juniperVPCOfferingName, juniperVPCOfferingDisplayText, services, serviceProviderMap, null, null, null, null, null, null, null, VpcOffering.State.Enabled, null, false);
+        vpcOffer = _vpcProvSvc.createVpcOffering(juniperVPCOfferingName, juniperVPCOfferingDisplayText, services, serviceProviderMap, null, null, null, null, null, null, null, VpcOffering.State.Enabled, null, false, false);
         long id = vpcOffer.getId();
         _vpcOffDao.update(id, (VpcOfferingVO)vpcOffer);
         return _vpcOffDao.findById(id);
diff --git a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index d3714f14834..7953a6a27cd 100644
--- a/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -25,21 +25,30 @@ import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
 import com.cloud.api.auth.SetupUserTwoFactorAuthenticationCmd;
+import org.apache.cloudstack.acl.RolePermissionEntity;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.command.admin.account.CreateAccountCmd;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeyRulesCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.MoveUserCmd;
+import org.apache.cloudstack.api.command.admin.user.RegisterUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
 import org.apache.cloudstack.api.response.UserTwoFactorAuthenticationSetupResponse;
 import org.apache.cloudstack.auth.UserTwoFactorAuthenticator;
 import org.apache.cloudstack.backup.BackupOffering;
 import org.apache.cloudstack.framework.config.ConfigKey;
 
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
-import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
-import org.apache.cloudstack.api.command.admin.user.RegisterUserKeyCmd;
-import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
 import org.apache.cloudstack.context.CallContext;
 
 import com.cloud.api.query.vo.ControlledViewEntity;
@@ -119,7 +128,7 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
     }
 
     @Override
-    public String[] createApiKeyAndSecretKey(RegisterUserKeyCmd arg0) {
+    public ApiKeyPair createApiKeyAndSecretKey(RegisterUserKeysCmd arg0) {
         // TODO Auto-generated method stub
         return null;
     }
@@ -401,7 +410,7 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
     }
 
     @Override
-    public Pair<User, Account> findUserByApiKey(String arg0) {
+    public Ternary<User, Account, ApiKeyPair> findUserByApiKey(String arg0) {
         // TODO Auto-generated method stub
         return null;
     }
@@ -466,6 +475,10 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
         // TODO Auto-generated method stub
     }
 
+    @Override
+    public void validateCallingUserHasAccessToDesiredUser(Long userId) {
+    }
+
     @Override
     public Long finalizeAccountId(String accountName, Long domainId, Long projectId, boolean enabledOnly) {
         // TODO Auto-generated method stub
@@ -503,10 +516,23 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
     }
 
     @Override
-    public Pair<Boolean, Map<String, String>> getKeys(Long userId) {
+    public ListResponse<ApiKeyPairResponse> listKeys(ListUserKeysCmd cmd) {
         return null;
     }
 
+    @Override
+    public List<ApiKeyPairPermission> listKeyRules(ListUserKeyRulesCmd cmd) {
+        return null;
+    }
+
+    @Override
+    public void deleteApiKey(DeleteUserKeysCmd cmd) {
+    }
+
+    @Override
+    public void deleteApiKey(ApiKeyPair id) {
+    }
+
     @Override
     public List<UserTwoFactorAuthenticator> listUserTwoFactorAuthenticationProviders() {
         return null;
@@ -517,6 +543,31 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
         return null;
     }
 
+    @Override
+    public ApiKeyPair getLatestUserKeyPair(Long userId) {
+        return null;
+    }
+
+    @Override
+    public ApiKeyPair getKeyPairById(Long id) {
+        return null;
+    }
+
+    @Override
+    public ApiKeyPair getKeyPairByApiKey(String apiKey) {
+        return null;
+    }
+
+    @Override
+    public String getAccessingApiKey(BaseCmd cmd) {
+        return null;
+    }
+
+    @Override
+    public List<RolePermissionEntity> getAllKeypairPermissions(String apiKey) {
+        return List.of();
+    }
+
     @Override
     public void checkAccess(User user, ControlledEntity entity)
             throws PermissionDeniedException {
@@ -538,7 +589,7 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
     }
 
     @Override
-    public void checkApiAccess(Account account, String command) throws PermissionDeniedException {
+    public void checkApiAccess(Account account, String command, String apiKey) throws PermissionDeniedException {
     }
 
     @Override
@@ -549,4 +600,12 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
     @Override
     public void verifyCallerPrivilegeForUserOrAccountOperations(Account userAccount) {
     }
+
+    @Override
+    public void verifyCallerPrivilegeForUserOrAccountOperations(User user) {
+    }
+
+    @Override
+    public void checkCallerRoleTypeAllowedForUserOrAccountOperations(Account userAccount, User user) {
+    }
 }
diff --git a/plugins/network-elements/tungsten/src/main/java/org/apache/cloudstack/network/tungsten/service/TungstenServiceImpl.java b/plugins/network-elements/tungsten/src/main/java/org/apache/cloudstack/network/tungsten/service/TungstenServiceImpl.java
index 60b5b7290a9..2a29b3976b0 100644
--- a/plugins/network-elements/tungsten/src/main/java/org/apache/cloudstack/network/tungsten/service/TungstenServiceImpl.java
+++ b/plugins/network-elements/tungsten/src/main/java/org/apache/cloudstack/network/tungsten/service/TungstenServiceImpl.java
@@ -19,6 +19,7 @@ package org.apache.cloudstack.network.tungsten.service;
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.Answer;
 import com.cloud.agent.api.Command;
+import com.cloud.api.ApiDBUtils;
 import com.cloud.configuration.Config;
 import com.cloud.configuration.ConfigurationManager;
 import com.cloud.dc.DataCenter;
@@ -114,6 +115,7 @@ import net.juniper.tungsten.api.types.TagType;
 import net.juniper.tungsten.api.types.VirtualMachine;
 import net.juniper.tungsten.api.types.VirtualMachineInterface;
 import net.juniper.tungsten.api.types.VirtualNetwork;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import org.apache.cloudstack.api.BaseResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
@@ -1182,9 +1184,10 @@ public class TungstenServiceImpl extends ManagerBase implements TungstenService
             int listenerPort = NetUtils.HTTPS_PORT;
 
             User callerUser = accountMgr.getActiveUser(CallContext.current().getCallingUserId());
-            String apiKey = callerUser.getApiKey();
-            String secretKey = callerUser.getSecretKey();
-            if (apiKey != null && secretKey != null) {
+            ApiKeyPairVO latestKeypair = ApiDBUtils.searchForLatestUserKeyPair(callerUser.getId());
+            if (latestKeypair != null) {
+                String apiKey = latestKeypair.getApiKey();
+                String secretKey = latestKeypair.getSecretKey();
                 String url;
                 try {
                     String data = "apiKey=" + URLEncoder.encode(apiKey, StandardCharsets.UTF_8.name()).replace("\\+", "%20") + "&command"
diff --git a/plugins/network-elements/tungsten/src/test/java/org/apache/cloudstack/network/tungsten/service/TungstenElementTest.java b/plugins/network-elements/tungsten/src/test/java/org/apache/cloudstack/network/tungsten/service/TungstenElementTest.java
index b22d1e70be3..bad21464602 100644
--- a/plugins/network-elements/tungsten/src/test/java/org/apache/cloudstack/network/tungsten/service/TungstenElementTest.java
+++ b/plugins/network-elements/tungsten/src/test/java/org/apache/cloudstack/network/tungsten/service/TungstenElementTest.java
@@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.network.tungsten.service;
 
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
@@ -360,6 +361,10 @@ public class TungstenElementTest {
         when(lbStickinessPolicy.getMethodName()).thenReturn("AppCookie");
         List<Pair<String, String>> pairList = List.of(new Pair<>("cookieName", "cookieValue"));
 
+        ApiKeyPairVO latest = new ApiKeyPairVO();
+        latest.setApiKey("apikey");
+        latest.setSecretKey("secretkey");
+        when(ApiDBUtils.searchForLatestUserKeyPair(Mockito.anyLong())).thenReturn(latest);
         when(lbStickinessPolicy.getParams()).thenReturn(pairList);
         when(loadBalancingRule1.getId()).thenReturn(1L);
         when(loadBalancingRule1.getState()).thenReturn(FirewallRule.State.Add);
diff --git a/plugins/storage/image/s3/src/main/java/org/apache/cloudstack/storage/datastore/driver/S3ImageStoreDriverImpl.java b/plugins/storage/image/s3/src/main/java/org/apache/cloudstack/storage/datastore/driver/S3ImageStoreDriverImpl.java
index 9b2f3ddd100..6318c1920a9 100644
--- a/plugins/storage/image/s3/src/main/java/org/apache/cloudstack/storage/datastore/driver/S3ImageStoreDriverImpl.java
+++ b/plugins/storage/image/s3/src/main/java/org/apache/cloudstack/storage/datastore/driver/S3ImageStoreDriverImpl.java
@@ -55,7 +55,7 @@ public class S3ImageStoreDriverImpl extends BaseImageStoreDriverImpl {
         return new S3TO(imgStore.getId(),
                         imgStore.getUuid(),
                         details.get(ApiConstants.S3_ACCESS_KEY),
-                        details.get(ApiConstants.S3_SECRET_KEY),
+                        details.get(ApiConstants.SECRET_KEY),
                         details.get(ApiConstants.S3_END_POINT),
                         details.get(ApiConstants.S3_BUCKET_NAME),
                         details.get(ApiConstants.S3_SIGNER),
diff --git a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientConnectionPool.java b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientConnectionPool.java
index 39bcc205586..e98d502d681 100644
--- a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientConnectionPool.java
+++ b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientConnectionPool.java
@@ -17,12 +17,12 @@
 
 package org.apache.cloudstack.storage.datastore.client;
 
-import java.net.URISyntaxException;
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
+import java.util.Map;
+import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
 
 import com.cloud.storage.StoragePool;
+import com.cloud.utils.exception.CloudRuntimeException;
 import org.apache.cloudstack.engine.subsystem.api.storage.DataStore;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolDetailVO;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolDetailsDao;
@@ -36,9 +36,9 @@ import com.google.common.base.Preconditions;
 public class ScaleIOGatewayClientConnectionPool {
     protected Logger logger = LogManager.getLogger(getClass());
 
-    private ConcurrentHashMap<Long, ScaleIOGatewayClient> gatewayClients;
-
+    private Map<Long, ScaleIOGatewayClient> gatewayClients;
     private static final ScaleIOGatewayClientConnectionPool instance;
+    private final Object lock = new Object();
 
     static {
         instance = new ScaleIOGatewayClientConnectionPool();
@@ -49,60 +49,67 @@ public class ScaleIOGatewayClientConnectionPool {
     }
 
     private ScaleIOGatewayClientConnectionPool() {
-        gatewayClients = new ConcurrentHashMap<Long, ScaleIOGatewayClient>();
+        gatewayClients = new ConcurrentHashMap<>();
     }
 
     public ScaleIOGatewayClient getClient(StoragePool storagePool,
-                                          StoragePoolDetailsDao storagePoolDetailsDao)
-            throws NoSuchAlgorithmException, KeyManagementException, URISyntaxException {
+                                          StoragePoolDetailsDao storagePoolDetailsDao) {
         return getClient(storagePool.getId(), storagePool.getUuid(), storagePoolDetailsDao);
     }
 
 
     public ScaleIOGatewayClient getClient(DataStore dataStore,
-                                          StoragePoolDetailsDao storagePoolDetailsDao)
-            throws NoSuchAlgorithmException, KeyManagementException, URISyntaxException {
+                                          StoragePoolDetailsDao storagePoolDetailsDao) {
         return getClient(dataStore.getId(), dataStore.getUuid(), storagePoolDetailsDao);
     }
 
-
     private ScaleIOGatewayClient getClient(Long storagePoolId, String storagePoolUuid,
-                                           StoragePoolDetailsDao storagePoolDetailsDao)
-            throws NoSuchAlgorithmException, KeyManagementException, URISyntaxException {
+                                           StoragePoolDetailsDao storagePoolDetailsDao) {
 
         Preconditions.checkArgument(storagePoolId != null && storagePoolId > 0,
                 "Invalid storage pool id");
 
-        ScaleIOGatewayClient client = null;
-        synchronized (gatewayClients) {
-            client = gatewayClients.get(storagePoolId);
-            if (client == null) {
-                String url = null;
-                StoragePoolDetailVO urlDetail  = storagePoolDetailsDao.findDetail(storagePoolId, ScaleIOGatewayClient.GATEWAY_API_ENDPOINT);
-                if (urlDetail != null) {
-                    url = urlDetail.getValue();
-                }
-                String username = null;
-                StoragePoolDetailVO encryptedUsernameDetail = storagePoolDetailsDao.findDetail(storagePoolId, ScaleIOGatewayClient.GATEWAY_API_USERNAME);
-                if (encryptedUsernameDetail != null) {
-                    final String encryptedUsername = encryptedUsernameDetail.getValue();
-                    username = DBEncryptionUtil.decrypt(encryptedUsername);
-                }
-                String password = null;
-                StoragePoolDetailVO encryptedPasswordDetail = storagePoolDetailsDao.findDetail(storagePoolId, ScaleIOGatewayClient.GATEWAY_API_PASSWORD);
-                if (encryptedPasswordDetail != null) {
-                    final String encryptedPassword = encryptedPasswordDetail.getValue();
-                    password = DBEncryptionUtil.decrypt(encryptedPassword);
-                }
-                final int clientTimeout = StorageManager.STORAGE_POOL_CLIENT_TIMEOUT.valueIn(storagePoolId);
-                final int clientMaxConnections = StorageManager.STORAGE_POOL_CLIENT_MAX_CONNECTIONS.valueIn(storagePoolId);
+        logger.debug("Getting ScaleIO client for {} ({})", storagePoolId, storagePoolUuid);
 
-                client = new ScaleIOGatewayClientImpl(url, username, password, false, clientTimeout, clientMaxConnections);
-                gatewayClients.put(storagePoolId, client);
-                logger.debug("Added gateway client for the storage pool [id: {}, uuid: {}]", storagePoolId, storagePoolUuid);
+        ScaleIOGatewayClient client = gatewayClients.get(storagePoolId);
+        if (client == null) {
+            logger.debug("Before acquiring lock to create ScaleIO client for {} ({})", storagePoolId, storagePoolUuid);
+            synchronized (lock) {
+                logger.debug("Acquired lock to create ScaleIO client for {} ({})", storagePoolId, storagePoolUuid);
+                client = gatewayClients.get(storagePoolId);
+                if (client == null) {
+                    logger.debug("Initializing ScaleIO client for {} ({})", storagePoolId, storagePoolUuid);
+
+                    String url = Optional.ofNullable(storagePoolDetailsDao.findDetail(storagePoolId, ScaleIOGatewayClient.GATEWAY_API_ENDPOINT))
+                            .map(StoragePoolDetailVO::getValue)
+                            .orElse(null);
+
+                    String username = Optional.ofNullable(storagePoolDetailsDao.findDetail(storagePoolId, ScaleIOGatewayClient.GATEWAY_API_USERNAME))
+                            .map(StoragePoolDetailVO::getValue)
+                            .map(DBEncryptionUtil::decrypt)
+                            .orElse(null);
+
+                    String password = Optional.ofNullable(storagePoolDetailsDao.findDetail(storagePoolId, ScaleIOGatewayClient.GATEWAY_API_PASSWORD))
+                            .map(StoragePoolDetailVO::getValue)
+                            .map(DBEncryptionUtil::decrypt)
+                            .orElse(null);
+
+                    int clientTimeout = StorageManager.STORAGE_POOL_CLIENT_TIMEOUT.valueIn(storagePoolId);
+                    int clientMaxConnections = StorageManager.STORAGE_POOL_CLIENT_MAX_CONNECTIONS.valueIn(storagePoolId);
+
+                    try {
+                        client = new ScaleIOGatewayClientImpl(url, username, password, false, clientTimeout, clientMaxConnections);
+                        logger.debug("Created ScaleIO client for the storage pool [id: {}, uuid: {}]", storagePoolId, storagePoolUuid);
+                        gatewayClients.put(storagePoolId, client);
+                    } catch (Exception e) {
+                        String msg = String.format("Failed to create ScaleIO client for the storage pool [id: %d, uuid: %s]", storagePoolId, storagePoolUuid);
+                        throw new CloudRuntimeException(msg, e);
+                    }
+                }
             }
         }
 
+        logger.debug("Returning ScaleIO client for {} ({})", storagePoolId, storagePoolUuid);
         return client;
     }
 
@@ -110,8 +117,8 @@ public class ScaleIOGatewayClientConnectionPool {
         Preconditions.checkArgument(dataStore != null && dataStore.getId() > 0,
                 "Invalid storage pool id");
 
-        ScaleIOGatewayClient client = null;
-        synchronized (gatewayClients) {
+        ScaleIOGatewayClient client;
+        synchronized (lock) {
             client = gatewayClients.remove(dataStore.getId());
         }
 
diff --git a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImpl.java b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImpl.java
index 6c4cc57ce50..c6a61c35b8b 100644
--- a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImpl.java
+++ b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImpl.java
@@ -92,7 +92,7 @@ public class ScaleIOGatewayClientImpl implements ScaleIOGatewayClient {
 
     private String username;
     private String password;
-    private String sessionKey = null;
+    private String sessionKey;
 
     // The session token is valid for 8 hours from the time it was created, unless there has been no activity for 10 minutes
     // Reference: https://cpsdocs.dellemc.com/bundle/PF_REST_API_RG/page/GUID-92430F19-9F44-42B6-B898-87D5307AE59B.html
@@ -102,7 +102,7 @@ public class ScaleIOGatewayClientImpl implements ScaleIOGatewayClient {
     private static final long MAX_IDLE_TIME_IN_MILLISECS = MAX_IDLE_TIME_IN_MINS * 60 * 1000;
     private static final long BUFFER_TIME_IN_MILLISECS = 30 * 1000; // keep 30 secs buffer before the expiration (to avoid any last-minute operations)
 
-    private boolean authenticating = false;
+    private volatile boolean authenticating = false;
     private long createTime = 0;
     private long lastUsedTime = 0;
 
@@ -142,7 +142,6 @@ public class ScaleIOGatewayClientImpl implements ScaleIOGatewayClient {
         this.username = username;
         this.password = password;
 
-        authenticate();
         logger.debug("API client for the PowerFlex gateway " + apiURI.getHost() + " is created successfully, with max connections: "
                 + maxConnections + " and timeout: " + timeout + " secs");
     }
@@ -181,7 +180,7 @@ public class ScaleIOGatewayClientImpl implements ScaleIOGatewayClient {
             long now = System.currentTimeMillis();
             createTime = lastUsedTime = now;
         } catch (final IOException e) {
-            logger.error("Failed to authenticate PowerFlex API Gateway " + apiURI.getHost() + " due to: " + e.getMessage() + getConnectionManagerStats());
+            logger.error("Failed to authenticate PowerFlex API Gateway " + apiURI.getHost() + " due to: " + e.getMessage() + getConnectionManagerStats(), e);
             throw new CloudRuntimeException("Failed to authenticate PowerFlex API Gateway " + apiURI.getHost() + " due to: " + e.getMessage());
         } finally {
             authenticating = false;
@@ -199,6 +198,10 @@ public class ScaleIOGatewayClientImpl implements ScaleIOGatewayClient {
     }
 
     private boolean isSessionExpired() {
+        if (sessionKey == null) {
+            logger.debug("Session never created for the Gateway " + apiURI.getHost());
+            return true;
+        }
         long now = System.currentTimeMillis() + BUFFER_TIME_IN_MILLISECS;
         if ((now - createTime) > MAX_VALID_SESSION_TIME_IN_MILLISECS) {
             logger.debug("Session expired for the Gateway " + apiURI.getHost() + ", token is invalid after " + MAX_VALID_SESSION_TIME_IN_HRS
@@ -281,7 +284,11 @@ public class ScaleIOGatewayClientImpl implements ScaleIOGatewayClient {
         HttpResponse response = null;
         boolean responseConsumed = false;
         try {
-            while (authenticating); // wait for authentication request (if any) to complete (and to pick the new session key)
+            while (authenticating) { // wait for authentication request (if any)
+                // to complete (and to pick the new session key)
+                Thread.yield();
+            }
+
             final HttpGet request = new HttpGet(apiURI.toString() + path);
             request.setHeader(HttpHeaders.AUTHORIZATION, "Basic " + Base64.getEncoder().encodeToString((this.username + ":" + this.sessionKey).getBytes()));
             logger.debug("Sending GET request: " + request.toString());
@@ -316,7 +323,10 @@ public class ScaleIOGatewayClientImpl implements ScaleIOGatewayClient {
         HttpResponse response = null;
         boolean responseConsumed = false;
         try {
-            while (authenticating); // wait for authentication request (if any) to complete (and to pick the new session key)
+            while (authenticating) { // wait for authentication request (if any)
+                // to complete (and to pick the new session key)
+                Thread.yield();
+            }
             final HttpPost request = new HttpPost(apiURI.toString() + path);
             request.setHeader(HttpHeaders.AUTHORIZATION, "Basic " + Base64.getEncoder().encodeToString((this.username + ":" + this.sessionKey).getBytes()));
             request.setHeader("content-type", "application/json");
diff --git a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/driver/ScaleIOPrimaryDataStoreDriver.java b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/driver/ScaleIOPrimaryDataStoreDriver.java
index 506cb54e1d8..2c6460422a4 100644
--- a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/driver/ScaleIOPrimaryDataStoreDriver.java
+++ b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/driver/ScaleIOPrimaryDataStoreDriver.java
@@ -153,15 +153,15 @@ public class ScaleIOPrimaryDataStoreDriver implements PrimaryDataStoreDriver {
         sdcManager = new ScaleIOSDCManagerImpl();
     }
 
-    ScaleIOGatewayClient getScaleIOClient(final StoragePool storagePool) throws Exception {
+    ScaleIOGatewayClient getScaleIOClient(final StoragePool storagePool) {
         return ScaleIOGatewayClientConnectionPool.getInstance().getClient(storagePool, storagePoolDetailsDao);
     }
 
-    ScaleIOGatewayClient getScaleIOClient(final DataStore dataStore) throws Exception {
+    ScaleIOGatewayClient getScaleIOClient(final DataStore dataStore) {
         return ScaleIOGatewayClientConnectionPool.getInstance().getClient(dataStore, storagePoolDetailsDao);
     }
 
-    private boolean setVolumeLimitsOnSDC(VolumeVO volume, Host host, DataStore dataStore, Long iopsLimit, Long bandwidthLimitInKbps) throws Exception {
+    private boolean setVolumeLimitsOnSDC(VolumeVO volume, Host host, DataStore dataStore, Long iopsLimit, Long bandwidthLimitInKbps) {
         sdcManager = ComponentContext.inject(sdcManager);
         final String sdcId = sdcManager.prepareSDC(host, dataStore);
         if (StringUtils.isBlank(sdcId)) {
@@ -173,7 +173,7 @@ public class ScaleIOPrimaryDataStoreDriver implements PrimaryDataStoreDriver {
         return client.mapVolumeToSdcWithLimits(ScaleIOUtil.getVolumePath(volume.getPath()), sdcId, iopsLimit, bandwidthLimitInKbps);
     }
 
-    private boolean setVolumeLimitsFromDetails(VolumeVO volume, Host host, DataStore dataStore) throws Exception {
+    private boolean setVolumeLimitsFromDetails(VolumeVO volume, Host host, DataStore dataStore) {
         Long bandwidthLimitInKbps = 0L; // Unlimited
         // Check Bandwidth Limit parameter in volume details
         final VolumeDetailVO bandwidthVolumeDetail = volumeDetailsDao.findDetail(volume.getId(), Volume.BANDWIDTH_LIMIT_IN_MBPS);
@@ -997,7 +997,7 @@ public class ScaleIOPrimaryDataStoreDriver implements PrimaryDataStoreDriver {
         return host;
     }
 
-    public void updateSnapshotsAfterCopyVolume(DataObject srcData, DataObject destData) throws Exception {
+    public void updateSnapshotsAfterCopyVolume(DataObject srcData, DataObject destData) {
         final long srcVolumeId = srcData.getId();
         DataStore srcStore = srcData.getDataStore();
         final ScaleIOGatewayClient client = getScaleIOClient(srcStore);
diff --git a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/manager/ScaleIOSDCManagerImpl.java b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/manager/ScaleIOSDCManagerImpl.java
index c13ad61a6cd..cb111e9ccac 100644
--- a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/manager/ScaleIOSDCManagerImpl.java
+++ b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/manager/ScaleIOSDCManagerImpl.java
@@ -361,14 +361,13 @@ public class ScaleIOSDCManagerImpl implements ScaleIOSDCManager, Configurable {
             return false;
         }
 
-        try {
-            if (logger.isDebugEnabled()) {
-                List<StoragePoolHostVO> poolHostVOsBySdc = storagePoolHostDao.findByLocalPath(sdcId);
-                if (CollectionUtils.isNotEmpty(poolHostVOsBySdc) && poolHostVOsBySdc.size() > 1) {
-                    logger.debug(String.format("There are other connected pools with the same SDC of the host %s", host));
-                }
-            }
+        List<StoragePoolHostVO> poolHostVOsBySdc = storagePoolHostDao.findByLocalPath(sdcId);
+        if (CollectionUtils.isNotEmpty(poolHostVOsBySdc) && poolHostVOsBySdc.size() > 1) {
+            logger.debug(String.format("There are other connected pools with the same SDC of the host %s", host));
+            return false;
+        }
 
+        try {
             return !areVolumesMappedToPoolSdc(dataStore.getId(), sdcId);
         } catch (Exception e) {
             logger.warn("Unable to check whether the SDC of the pool: " + dataStore.getId() + " can be unprepared on the host: " + host.getId() + ", due to " + e.getMessage(), e);
@@ -425,20 +424,26 @@ public class ScaleIOSDCManagerImpl implements ScaleIOSDCManager, Configurable {
     @Override
     public boolean isHostSdcConnected(String sdcId, DataStore dataStore, int waitTimeInSecs) {
         long poolId = dataStore.getId();
-        logger.debug(String.format("Waiting (for %d secs) for the SDC %s of the pool %s to connect",
-                waitTimeInSecs, sdcId, dataStore));
+        logger.debug("Waiting (for {} secs) for the SDC {} of the pool {} to connect", waitTimeInSecs, sdcId, dataStore);
         int timeBetweenTries = 1000; // Try more frequently (every sec) and return early if connected
-        while (waitTimeInSecs > 0) {
+        for (int i = 0; i < waitTimeInSecs; i++) {
+            logger.debug("Attempt {} of {} for the SDC {} of the pool {} to connect", i + 1, waitTimeInSecs, sdcId, dataStore);
             if (isHostSdcConnected(sdcId, poolId)) {
+                logger.debug("Attempt {} of {} successful for the SDC {} of the pool {} to connect", i + 1, waitTimeInSecs, sdcId, dataStore);
                 return true;
             }
-            waitTimeInSecs--;
             try {
                 Thread.sleep(timeBetweenTries);
             } catch (Exception ignore) {
             }
         }
-        return isHostSdcConnected(sdcId, poolId);
+        boolean isConnected = isHostSdcConnected(sdcId, poolId);
+        if (isConnected) {
+            logger.debug("Final attempt to connect the SDC {} of the pool {} succeeded", sdcId, dataStore);
+        } else {
+            logger.debug("Final attempt to connect the SDC {} of the pool {} failed", sdcId, dataStore);
+        }
+        return isConnected;
     }
 
     @Override
@@ -470,6 +475,7 @@ public class ScaleIOSDCManagerImpl implements ScaleIOSDCManager, Configurable {
     private boolean isHostSdcConnected(String sdcId, long poolId) {
         try {
             final ScaleIOGatewayClient client = getScaleIOClient(poolId);
+            logger.debug("Checking whether SDC {} connected or not", sdcId);
             return client.isSdcConnected(sdcId);
         } catch (Exception e) {
             logger.error("Failed to check host SDC connection", e);
@@ -477,7 +483,7 @@ public class ScaleIOSDCManagerImpl implements ScaleIOSDCManager, Configurable {
         }
     }
 
-    private ScaleIOGatewayClient getScaleIOClient(final Long storagePoolId) throws Exception {
+    private ScaleIOGatewayClient getScaleIOClient(Long storagePoolId) {
         StoragePoolVO storagePool = storagePoolDao.findById(storagePoolId);
         if (storagePool == null) {
             throw new CloudRuntimeException("Unable to find the storage pool with id " + storagePoolId);
diff --git a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/util/ScaleIOUtil.java b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/util/ScaleIOUtil.java
index 70ea6f429e7..c1bc9fc10cf 100644
--- a/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/util/ScaleIOUtil.java
+++ b/plugins/storage/volume/scaleio/src/main/java/org/apache/cloudstack/storage/datastore/util/ScaleIOUtil.java
@@ -158,6 +158,11 @@ public class ScaleIOUtil {
      */
     private static final Pattern DRV_CFG_MDM_IPS_PATTERN = Pattern.compile("\\s*,\\s*");
 
+    /**
+     * Default command execution timeout 5 minutes.
+     */
+    public static final int DEFAULT_TIMEOUT_MS = 5 * 60 * 1000;
+
     public static boolean addMdms(String... mdmAddresses) {
         if (mdmAddresses.length < 1) {
             return false;
@@ -226,14 +231,10 @@ public class ScaleIOUtil {
                 }
             } else {
                 String command = String.format(REMOVE_MDM_CMD_TEMPLATE, mdmAddress, DRV_CFG_FILE);
-                String stdErr = Script.executeCommand(command).second();
-                if(StringUtils.isEmpty(stdErr)) {
-                    // restart SDC needed only if configuration file modified manually (not by CLI)
-                    restartSDC = true;
-                    changesApplied = true;
-                } else {
-                    LOGGER.error(String.format("Failed to remove MDM %s from %s: %s", mdmAddress, DRV_CFG_FILE, stdErr));
-                }
+                Script.runSimpleBashScript(command, DEFAULT_TIMEOUT_MS);
+                // restart SDC needed only if configuration file modified manually (not by CLI)
+                restartSDC = true;
+                changesApplied = true;
             }
         }
         if (restartSDC) {
@@ -338,9 +339,9 @@ public class ScaleIOUtil {
      */
     public static boolean isMdmPresent(String mdmAddress) {
         //query_mdms outputs "MDM-ID <System/MDM-Id> SDC ID <SDC-Id> INSTALLATION ID <Installation-Id> IPs [0]-x.x.x.x [1]-x.x.x.x" for a MDM with ID: <MDM-Id>
-        String queryMdmsCmd = ScaleIOUtil.SDC_HOME_PATH + "/bin/" + ScaleIOUtil.QUERY_MDMS_CMD;
+        String queryMdmsCmd = ScaleIOUtil.SDC_HOME_PATH + "/bin/" + ScaleIOUtil.QUERY_MDMS_CMD + " --file " + DRV_CFG_FILE;
         queryMdmsCmd += "|grep " + mdmAddress;
-        String result = Script.runSimpleBashScript(queryMdmsCmd);
+        String result = Script.runSimpleBashScript(queryMdmsCmd, DEFAULT_TIMEOUT_MS);
 
         return StringUtils.isNotBlank(result) && result.contains(mdmAddress);
     }
@@ -348,7 +349,7 @@ public class ScaleIOUtil {
     public static String getSdcHomePath() {
         String sdcHomePropertyCmdFormat = "sed -n '/%s/p' '%s' 2>/dev/null  | sed 's/%s=//g' 2>/dev/null";
         String sdcHomeCmd = String.format(sdcHomePropertyCmdFormat, SDC_HOME_PARAMETER, AGENT_PROPERTIES_FILE, SDC_HOME_PARAMETER);
-        String result = Script.runSimpleBashScript(sdcHomeCmd);
+        String result = Script.runSimpleBashScript(sdcHomeCmd, DEFAULT_TIMEOUT_MS);
         String sdcHomePath;
         if (result == null) {
             sdcHomePath = DEFAULT_SDC_HOME_PATH;
@@ -364,7 +365,7 @@ public class ScaleIOUtil {
         // Detecting new volumes
         String rescanCmd = ScaleIOUtil.SDC_HOME_PATH + "/bin/" + ScaleIOUtil.RESCAN_CMD;
 
-        String result = Script.runSimpleBashScript(rescanCmd);
+        String result = Script.runSimpleBashScript(rescanCmd, DEFAULT_TIMEOUT_MS);
         if (result == null) {
             LOGGER.warn("Failed to rescan for new volumes");
         }
@@ -375,7 +376,7 @@ public class ScaleIOUtil {
         String queryDiskCmd = SDC_HOME_PATH + "/bin/" + ScaleIOUtil.QUERY_VOLUMES_CMD;
         queryDiskCmd += "|grep " + volumeId + "|awk '{print $4}'";
 
-        String result = Script.runSimpleBashScript(queryDiskCmd);
+        String result = Script.runSimpleBashScript(queryDiskCmd, DEFAULT_TIMEOUT_MS);
         if (result == null) {
             LOGGER.warn("Query volumes failed to get volume: " + volumeId + " details for system id");
             return null;
@@ -390,8 +391,8 @@ public class ScaleIOUtil {
     }
 
     public static String getSdcGuid() {
-        String queryGuidCmd = ScaleIOUtil.SDC_HOME_PATH + "/bin/" + ScaleIOUtil.QUERY_GUID_CMD;
-        String result = Script.runSimpleBashScript(queryGuidCmd);
+        String queryGuidCmd = ScaleIOUtil.SDC_HOME_PATH + "/bin/" + ScaleIOUtil.QUERY_GUID_CMD + " --file " + DRV_CFG_FILE;
+        String result = Script.runSimpleBashScript(queryGuidCmd, DEFAULT_TIMEOUT_MS);
         if (result == null) {
             LOGGER.warn("Failed to get SDC guid");
             return null;
@@ -412,9 +413,9 @@ public class ScaleIOUtil {
 
     public static String getSdcId(String mdmId) {
         //query_mdms outputs "MDM-ID <System/MDM-Id> SDC ID <SDC-Id> INSTALLATION ID <Installation-Id> IPs [0]-x.x.x.x [1]-x.x.x.x" for a MDM with ID: <MDM-Id>
-        String queryMdmsCmd = ScaleIOUtil.SDC_HOME_PATH + "/bin/" + ScaleIOUtil.QUERY_MDMS_CMD;
+        String queryMdmsCmd = ScaleIOUtil.SDC_HOME_PATH + "/bin/" + ScaleIOUtil.QUERY_MDMS_CMD + " --file " + DRV_CFG_FILE;
         queryMdmsCmd += "|grep " + mdmId + "|awk '{print $5}'";
-        String result = Script.runSimpleBashScript(queryMdmsCmd);
+        String result = Script.runSimpleBashScript(queryMdmsCmd, DEFAULT_TIMEOUT_MS);
         if (result == null) {
             LOGGER.warn("Failed to get SDC Id, for the MDM: " + mdmId);
             return null;
diff --git a/plugins/storage/volume/scaleio/src/test/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImplTest.java b/plugins/storage/volume/scaleio/src/test/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImplTest.java
index 817a67fc650..ee8351ae765 100644
--- a/plugins/storage/volume/scaleio/src/test/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImplTest.java
+++ b/plugins/storage/volume/scaleio/src/test/java/org/apache/cloudstack/storage/datastore/client/ScaleIOGatewayClientImplTest.java
@@ -99,8 +99,6 @@ public class ScaleIOGatewayClientImplTest {
     @Test
     public void testClientAuthSuccess() {
         Assert.assertNotNull(client);
-        wireMockRule.verify(getRequestedFor(urlEqualTo("/api/login"))
-                .withBasicAuth(new BasicCredentials(username, password)));
 
         wireMockRule.stubFor(get("/api/types/StoragePool/instances")
                 .willReturn(aResponse()
@@ -110,25 +108,28 @@ public class ScaleIOGatewayClientImplTest {
 
         client.listStoragePools();
 
+        wireMockRule.verify(getRequestedFor(urlEqualTo("/api/login"))
+                .withBasicAuth(new BasicCredentials(username, password)));
+
         wireMockRule.verify(getRequestedFor(urlEqualTo("/api/types/StoragePool/instances"))
                 .withBasicAuth(new BasicCredentials(username, sessionKey)));
     }
 
     @Test(expected = CloudRuntimeException.class)
     public void testClientAuthFailure() throws Exception {
+        Assert.assertNotNull(client);
+
         wireMockRule.stubFor(get("/api/login")
                 .willReturn(unauthorized()
                         .withHeader("content-type", "application/json;charset=UTF-8")
                         .withBody("")));
 
-        new ScaleIOGatewayClientImpl("https://localhost/api", username, password, false, timeout, maxConnections);
+        client.listStoragePools();
     }
 
     @Test(expected = ServerApiException.class)
     public void testRequestTimeout() {
         Assert.assertNotNull(client);
-        wireMockRule.verify(getRequestedFor(urlEqualTo("/api/login"))
-                .withBasicAuth(new BasicCredentials(username, password)));
 
         wireMockRule.stubFor(get("/api/types/StoragePool/instances")
                 .willReturn(aResponse()
@@ -143,14 +144,15 @@ public class ScaleIOGatewayClientImplTest {
     @Test
     public void testCreateSingleVolume() {
         Assert.assertNotNull(client);
-        wireMockRule.verify(getRequestedFor(urlEqualTo("/api/login"))
-                .withBasicAuth(new BasicCredentials(username, password)));
 
         final String volumeName = "testvolume";
         final String scaleIOStoragePoolId = "4daaa55e00000000";
         final int sizeInGb = 8;
         Volume scaleIOVolume = client.createVolume(volumeName, scaleIOStoragePoolId, sizeInGb, Storage.ProvisioningType.THIN);
 
+        wireMockRule.verify(getRequestedFor(urlEqualTo("/api/login"))
+                .withBasicAuth(new BasicCredentials(username, password)));
+
         wireMockRule.verify(postRequestedFor(urlEqualTo("/api/types/Volume/instances"))
                 .withBasicAuth(new BasicCredentials(username, sessionKey))
                 .withRequestBody(containing("\"name\":\"" + volumeName + "\""))
@@ -169,8 +171,6 @@ public class ScaleIOGatewayClientImplTest {
     @Test
     public void testCreateMultipleVolumes() {
         Assert.assertNotNull(client);
-        wireMockRule.verify(getRequestedFor(urlEqualTo("/api/login"))
-                .withBasicAuth(new BasicCredentials(username, password)));
 
         final String volumeNamePrefix = "testvolume_";
         final String scaleIOStoragePoolId = "4daaa55e00000000";
@@ -188,6 +188,9 @@ public class ScaleIOGatewayClientImplTest {
             Assert.assertEquals(scaleIOVolume.getVolumeType(), Volume.VolumeType.ThinProvisioned);
         }
 
+        wireMockRule.verify(getRequestedFor(urlEqualTo("/api/login"))
+                .withBasicAuth(new BasicCredentials(username, password)));
+
         wireMockRule.verify(volumesCount, postRequestedFor(urlEqualTo("/api/types/Volume/instances"))
                 .withBasicAuth(new BasicCredentials(username, sessionKey))
                 .withRequestBody(containing("\"name\":\"" + volumeNamePrefix))
diff --git a/plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmd.java b/plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmd.java
index 57f71c4ea80..d2af4c24ce4 100644
--- a/plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmd.java
+++ b/plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmd.java
@@ -183,14 +183,14 @@ public class OauthLoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
     }
 
     protected Long getDomainIdFromParams(Map<String, Object[]> params, StringBuilder auditTrailSb, String responseType) {
-        String[] domainIdArr = (String[])params.get(ApiConstants.DOMAIN_ID);
+        String domainIdStr = _apiServer.getDomainId(params);
         Long domainId = null;
-        if (domainIdArr != null && domainIdArr.length > 0) {
+        if (StringUtils.isNotEmpty(domainIdStr)) {
             try {
                 //check if UUID is passed in for domain
-                domainId = _apiServer.fetchDomainId(domainIdArr[0]);
+                domainId = _apiServer.fetchDomainId(domainIdStr);
                 if (domainId == null) {
-                    domainId = Long.parseLong(domainIdArr[0]);
+                    domainId = Long.parseLong(domainIdStr);
                 }
                 auditTrailSb.append(" domainid=" + domainId);// building the params for POST call
             } catch (final NumberFormatException e) {
diff --git a/plugins/user-authenticators/oauth2/src/test/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmdTest.java b/plugins/user-authenticators/oauth2/src/test/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmdTest.java
index ccbb53cfc80..962ffefd5ce 100644
--- a/plugins/user-authenticators/oauth2/src/test/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmdTest.java
+++ b/plugins/user-authenticators/oauth2/src/test/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmdTest.java
@@ -85,10 +85,29 @@ public class OauthLoginAPIAuthenticatorCmdTest {
         ApiServer apiServer = mock(ApiServer.class);
         cmd._apiServer = apiServer;
         when(apiServer.fetchDomainId("1234")).thenReturn(5678L);
+        when(apiServer.getDomainId(params)).thenCallRealMethod();
 
         Long domainId = cmd.getDomainIdFromParams(params, auditTrailSb, responseType);
 
         assertEquals(Long.valueOf(5678), domainId);
         assertEquals(" domainid=5678", auditTrailSb.toString());
     }
+
+    @Test
+    public void testGetDomainIdFromCamelCaseParam() {
+        StringBuilder auditTrailSb = new StringBuilder();
+        String responseType = "json";
+        Map<String, Object[]> params = new HashMap<>();
+        params.put(ApiConstants.DOMAIN_ID, null);
+        params.put(ApiConstants.DOMAIN__ID, new String[]{"5678"});
+        ApiServer apiServer = mock(ApiServer.class);
+        cmd._apiServer = apiServer;
+        when(apiServer.fetchDomainId("5678")).thenReturn(1234L);
+        when(apiServer.getDomainId(params)).thenCallRealMethod();
+
+        Long domainId = cmd.getDomainIdFromParams(params, auditTrailSb, responseType);
+
+        assertEquals(Long.valueOf(1234), domainId);
+        assertEquals(" domainid=1234", auditTrailSb.toString());
+    }
 }
diff --git a/server/src/main/java/com/cloud/api/ApiDBUtils.java b/server/src/main/java/com/cloud/api/ApiDBUtils.java
index 57eeb63ea9f..1d6d5d5c500 100644
--- a/server/src/main/java/com/cloud/api/ApiDBUtils.java
+++ b/server/src/main/java/com/cloud/api/ApiDBUtils.java
@@ -321,7 +321,6 @@ import com.cloud.template.TemplateManager;
 import com.cloud.template.VirtualMachineTemplate;
 import com.cloud.user.Account;
 import com.cloud.user.AccountDetailsDao;
-import com.cloud.user.AccountManager;
 import com.cloud.user.AccountService;
 import com.cloud.user.AccountVO;
 import com.cloud.user.ResourceLimitService;
@@ -361,6 +360,8 @@ import com.cloud.vm.dao.VMInstanceDetailsDao;
 import com.cloud.vm.dao.VMInstanceDao;
 import com.cloud.vm.snapshot.VMSnapshot;
 import com.cloud.vm.snapshot.dao.VMSnapshotDao;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
+import org.apache.cloudstack.acl.dao.ApiKeyPairDao;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -498,6 +499,7 @@ public class ApiDBUtils {
     static BackupRepositoryDao s_backupRepositoryDao;
     static NicDao s_nicDao;
     static ResourceManagerUtil s_resourceManagerUtil;
+    static ApiKeyPairDao s_apiKeyPairDao;
     static SnapshotPolicyDetailsDao s_snapshotPolicyDetailsDao;
     static ObjectStoreDao s_objectStoreDao;
 
@@ -764,6 +766,8 @@ public class ApiDBUtils {
     @Inject
     private ResourceManagerUtil resourceManagerUtil;
     @Inject
+    private ApiKeyPairDao apiKeyPairDao;
+    @Inject
     SnapshotPolicyDetailsDao snapshotPolicyDetailsDao;
 
     @Inject
@@ -907,6 +911,7 @@ public class ApiDBUtils {
         s_backupRepositoryDao = backupRepositoryDao;
         s_resourceIconDao = resourceIconDao;
         s_resourceManagerUtil = resourceManagerUtil;
+        s_apiKeyPairDao = apiKeyPairDao;
         s_objectStoreDao = objectStoreDao;
         s_bucketDao = bucketDao;
         s_virtualMachineManager = virtualMachineManager;
@@ -1984,10 +1989,8 @@ public class ApiDBUtils {
     }
 
     public static UserResponse newUserResponse(ResponseView view, Long domainId, UserAccountJoinVO usr) {
-        UserResponse response = s_userAccountJoinDao.newUserResponse(view, usr);
-        if(!AccountManager.UseSecretKeyInResponse.value()){
-            response.setSecretKey(null);
-        }
+        ApiKeyPairVO lastKeyPair = searchForLatestUserKeyPair(usr.getId());
+        UserResponse response = s_userAccountJoinDao.newUserResponse(view, usr, lastKeyPair);
         // Populate user account role information
         if (usr.getAccountRoleId() != null) {
             Role role = s_roleService.findRole( usr.getAccountRoleId());
@@ -2004,6 +2007,10 @@ public class ApiDBUtils {
         return response;
     }
 
+    public static ApiKeyPairVO searchForLatestUserKeyPair(Long userId) {
+        return s_apiKeyPairDao.getLastApiKeyCreatedByUser(userId);
+    }
+
     public static UserAccountJoinVO newUserView(User usr) {
         return s_userAccountJoinDao.newUserView(usr);
     }
diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index 655f5acb46e..cf98df0da24 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -39,8 +39,16 @@ import java.util.stream.Collectors;
 
 import javax.inject.Inject;
 
+import com.cloud.domain.dao.DomainDao;
+import com.cloud.user.AccountVO;
+import com.cloud.user.ApiKeyPairState;
+import com.cloud.user.dao.AccountDao;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
+import org.apache.cloudstack.acl.RoleVO;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+import org.apache.cloudstack.acl.dao.RoleDao;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.AffinityGroupResponse;
 import org.apache.cloudstack.annotation.AnnotationService;
@@ -66,6 +74,7 @@ import org.apache.cloudstack.api.response.AutoScaleVmProfileResponse;
 import org.apache.cloudstack.api.response.BackupOfferingResponse;
 import org.apache.cloudstack.api.response.BackupRepositoryResponse;
 import org.apache.cloudstack.api.response.BackupScheduleResponse;
+import org.apache.cloudstack.api.response.BaseRolePermissionResponse;
 import org.apache.cloudstack.api.response.BgpPeerResponse;
 import org.apache.cloudstack.api.response.BucketResponse;
 import org.apache.cloudstack.api.response.CapabilityResponse;
@@ -113,6 +122,7 @@ import org.apache.cloudstack.api.response.IpRangeResponse;
 import org.apache.cloudstack.api.response.Ipv4RouteResponse;
 import org.apache.cloudstack.api.response.Ipv6RouteResponse;
 import org.apache.cloudstack.api.response.IsolationMethodResponse;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
 import org.apache.cloudstack.api.response.LBHealthCheckPolicyResponse;
 import org.apache.cloudstack.api.response.LBHealthCheckResponse;
 import org.apache.cloudstack.api.response.LBStickinessPolicyResponse;
@@ -542,6 +552,15 @@ public class ApiResponseHelper implements ResponseGenerator {
         return domainPath.toString();
     }
 
+    @Inject
+    private RoleDao roleDao;
+
+    @Inject
+    private AccountDao accountDao;
+
+    @Inject
+    private DomainDao domainDao;
+
     @Override
     public UserResponse createUserResponse(User user) {
         UserAccountJoinVO vUser = ApiDBUtils.newUserView(user);
@@ -1656,7 +1675,7 @@ public class ApiResponseHelper implements ResponseGenerator {
 
         Network guestNtwk = ApiDBUtils.findNetworkById(fwRule.getNetworkId());
         response.setNetworkId(guestNtwk.getUuid());
-
+        response.setNetworkName(guestNtwk.getName());
 
         IpAddress ip = ApiDBUtils.findIpAddressById(fwRule.getSourceIpAddressId());
 
@@ -3516,6 +3535,7 @@ public class ApiResponseHelper implements ResponseGenerator {
         if (voff != null) {
             response.setVpcOfferingId(voff.getUuid());
             response.setVpcOfferingName(voff.getName());
+            response.setVpcOfferingConserveMode(voff.isConserveMode());
         }
         response.setCidr(vpc.getCidr());
         response.setRestartRequired(vpc.isRestartRequired());
@@ -5707,4 +5727,79 @@ protected Map<String, ResourceIcon> getResourceIconsUsingOsCategory(List<Templat
         consoleSessionResponse.setObjectName("consolesession");
         return consoleSessionResponse;
     }
+
+    @Override
+    public ApiKeyPairResponse createKeyPairResponse(ApiKeyPair keyPair) {
+        ApiKeyPairResponse apiKeyPairResponse = new ApiKeyPairResponse();
+
+        populateApiKeyPairInApiKeyPairResponse(keyPair, apiKeyPairResponse);
+        populateUserInApiKeyPairResponse(keyPair, apiKeyPairResponse);
+
+        AccountVO account = accountDao.findByIdIncludingRemoved(keyPair.getAccountId());
+        apiKeyPairResponse.setAccountId(account.getUuid());
+        apiKeyPairResponse.setAccountName(account.getAccountName());
+        apiKeyPairResponse.setAccountType(account.getType().toString());
+
+        populateDomainInApiKeyPairResponse(account.getDomainId(), apiKeyPairResponse);
+        populateRoleInApiKeyPairResponse(account.getRoleId(), apiKeyPairResponse);
+
+        return apiKeyPairResponse;
+    }
+
+    protected void populateRoleInApiKeyPairResponse(Long roleId, ApiKeyPairResponse apiKeyPairResponse) {
+        RoleVO roleVO = roleDao.findById(roleId);
+        apiKeyPairResponse.setRoleId(roleVO.getUuid());
+        apiKeyPairResponse.setRoleName(roleVO.getName());
+        apiKeyPairResponse.setRoleType(roleVO.getRoleType().name());
+    }
+
+    protected static void populateApiKeyPairInApiKeyPairResponse(ApiKeyPair keyPair, ApiKeyPairResponse apiKeyPairResponse) {
+        apiKeyPairResponse.setName(keyPair.getName());
+        apiKeyPairResponse.setApiKey(keyPair.getApiKey());
+        apiKeyPairResponse.setSecretKey(keyPair.getSecretKey());
+        apiKeyPairResponse.setDescription(keyPair.getDescription());
+        apiKeyPairResponse.setId(keyPair.getUuid());
+        apiKeyPairResponse.setCreated(keyPair.getCreated());
+        apiKeyPairResponse.setStartDate(keyPair.getStartDate());
+        apiKeyPairResponse.setEndDate(keyPair.getEndDate());
+
+        ApiKeyPairState state = ApiKeyPairState.ENABLED;
+        if (keyPair.getRemoved() != null) {
+            state = ApiKeyPairState.REMOVED;
+        } else if (keyPair.hasEndDatePassed()) {
+            state = ApiKeyPairState.EXPIRED;
+        }
+        apiKeyPairResponse.setState(state);
+    }
+
+    protected void populateUserInApiKeyPairResponse(ApiKeyPair keyPair, ApiKeyPairResponse apiKeyPairResponse) {
+        User user = ApiDBUtils.findUserById(keyPair.getUserId());
+        apiKeyPairResponse.setUserId(user.getUuid());
+        apiKeyPairResponse.setUsername(user.getUsername());
+    }
+
+    protected void populateDomainInApiKeyPairResponse(Long domainId, ApiKeyPairResponse apiKeyPairResponse) {
+        DomainVO domainVO = domainDao.findById(domainId);
+        apiKeyPairResponse.setDomainId(domainVO.getUuid());
+        apiKeyPairResponse.setDomainName(domainVO.getName());
+        StringBuilder domainPath = new StringBuilder("ROOT");
+        (domainPath.append(domainVO.getPath())).deleteCharAt(domainPath.length() - 1);
+        apiKeyPairResponse.setDomainPath(domainPath.toString());
+    }
+
+    @Override
+    public ListResponse<BaseRolePermissionResponse> createKeypairPermissionsResponse(final List<ApiKeyPairPermission> permissions) {
+        final ListResponse<BaseRolePermissionResponse> response = new ListResponse<>();
+        final List<BaseRolePermissionResponse> permissionResponses = new ArrayList<>();
+        for (final ApiKeyPairPermission permission : permissions) {
+            BaseRolePermissionResponse permissionResponse = new BaseRolePermissionResponse();
+            permissionResponse.setRule(permission.getRule());
+            permissionResponse.setRulePermission(permission.getPermission());
+            permissionResponse.setDescription(permission.getDescription());
+            permissionResponse.setObjectName("keypermission");
+            permissionResponses.add(permissionResponse);
+        }
+        response.setResponses(permissionResponses);
+        return response;
+    }
 }
diff --git a/server/src/main/java/com/cloud/api/ApiServer.java b/server/src/main/java/com/cloud/api/ApiServer.java
index 4a6a1180363..dc07814c972 100644
--- a/server/src/main/java/com/cloud/api/ApiServer.java
+++ b/server/src/main/java/com/cloud/api/ApiServer.java
@@ -60,6 +60,7 @@ import javax.servlet.http.HttpSession;
 
 import com.cloud.cluster.ManagementServerHostVO;
 import com.cloud.cluster.dao.ManagementServerHostDao;
+import com.cloud.utils.Ternary;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.AccountManagerImpl;
@@ -68,6 +69,9 @@ import com.cloud.user.User;
 import com.cloud.user.UserAccount;
 import com.cloud.user.UserVO;
 import org.apache.cloudstack.acl.APIChecker;
+import org.apache.cloudstack.acl.ApiKeyPairManagerImpl;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -237,6 +241,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
     private UUIDManager uuidMgr;
     @Inject
     private UserPasswordResetManager userPasswordResetManager;
+    @Inject
+    private ApiKeyPairManagerImpl keyPairManager;
 
     private List<PluggableService> pluggableServices;
 
@@ -1081,14 +1087,16 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
             txn.close();
             User user;
             // verify there is a user with this api key
-            final Pair<User, Account> userAcctPair = accountMgr.findUserByApiKey(apiKey);
-            if (userAcctPair == null) {
+            final Ternary<User, Account, ApiKeyPair> keyPairTernary = accountMgr.findUserByApiKey(apiKey);
+
+            if (keyPairTernary == null) {
                 logger.debug("apiKey does not map to a valid user -- ignoring request, apiKey: {}", apiKey);
                 return false;
             }
 
-            user = userAcctPair.first();
-            final Account account = userAcctPair.second();
+            user = keyPairTernary.first();
+            Account account = keyPairTernary.second();
+            ApiKeyPair keyPair = keyPairTernary.third();
 
             if (user.getState() != Account.State.ENABLED || !account.getState().equals(Account.State.ENABLED)) {
                 logger.info("disabled or locked user accessing the api, user = {} (state: {}); " +
@@ -1104,10 +1112,16 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
                 return false;
             }
 
-            // verify secret key exists
-            secretKey = user.getSecretKey();
+            if (keyPair.getRemoved() != null) {
+                logger.info(String.format("Invalid request, as used API keypair [%s] has been removed.", keyPair.getUuid()));
+                return false;
+            }
+
+            keyPair.validateDate();
+
+            secretKey = keyPair.getSecretKey();
             if (secretKey == null) {
-                logger.info("User does not have a secret key associated with the account -- ignoring request, username: {}", user);
+                logger.info(String.format("User does not have a secret key associated with the API key -- ignoring request, username: [%s].", user.getUsername()));
                 return false;
             }
 
@@ -1125,21 +1139,28 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
             if (!equalSig) {
                 signature = signature.replaceAll(SANITIZATION_REGEX, "_");
                 logger.info("User signature [{}] is not equaled to computed signature [{}].", signature, computedSignature);
-            } else {
-                CallContext.register(user, account);
+                return false;
+            }
+            CallContext.register(user, account);
+
+            List<ApiKeyPairPermission> keyPairPermissions = keyPairManager.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId());
+            if (commandAvailable(remoteAddress, commandName, user, keyPairPermissions.toArray(new ApiKeyPairPermission[0]))) {
+                logger.info("API accessed through API Key Pair. API Key: [{}].", keyPair.getApiKey());
+                return true;
             }
-            return equalSig;
         } catch (final ServerApiException ex) {
             throw ex;
+        } catch (PermissionDeniedException ex) {
+            logger.error("Permission denied for keypair, reason: {}.", ex.getMessage());
         } catch (final Exception ex) {
-            logger.error("unable to verify request signature");
+            logger.error("Unable to verify request signature.", ex);
         }
         return false;
     }
 
-    private boolean commandAvailable(final InetAddress remoteAddress, final String commandName, final User user) {
+    private boolean commandAvailable(final InetAddress remoteAddress, final String commandName, final User user, ApiKeyPairPermission... rolePermissions) {
         try {
-            checkCommandAvailable(user, commandName, remoteAddress);
+            checkCommandAvailable(user, commandName, remoteAddress, rolePermissions);
         } catch (final RequestLimitException ex) {
             logger.debug(ex.getMessage());
             throw new ServerApiException(ApiErrorCode.API_LIMIT_EXCEED, ex.getMessage());
@@ -1413,7 +1434,26 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
         return userPasswordResetManager.validateAndResetPassword(userAccount, token, password);
     }
 
-    private void checkCommandAvailable(final User user, final String commandName, final InetAddress remoteAddress) throws PermissionDeniedException {
+    @Override
+    public String getDomainId(Map<String, Object[]> params) {
+        if (MapUtils.isEmpty(params)) {
+            return null;
+        }
+
+        String[] domainIdArr = (String[])params.get(ApiConstants.DOMAIN_ID);
+        if (domainIdArr == null) {
+            // Fallback to support clients using the camelCase parameter name "domainId"
+            domainIdArr = (String[])params.get(ApiConstants.DOMAIN__ID);
+        }
+
+        if (domainIdArr == null || domainIdArr.length == 0) {
+            return null;
+        }
+
+        return domainIdArr[0];
+    }
+
+    private void checkCommandAvailable(final User user, final String commandName, final InetAddress remoteAddress, ApiKeyPairPermission ... apiKeyPairPermissions) throws PermissionDeniedException {
         if (user == null) {
             throw new PermissionDeniedException("User is null for role based API access check for command" + commandName);
         }
@@ -1427,12 +1467,11 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
             if (!NetUtils.isIpInCidrList(remoteAddress, accessAllowedCidrs.split(","))) {
                 logger.warn("Request by account '{}' was denied since {} does not match {}", account.toString(), remoteAddress, accessAllowedCidrs);
                 throw new OriginDeniedException("Calls from disallowed origin", account, remoteAddress);
-                }
+            }
         }
 
-
         for (final APIChecker apiChecker : apiAccessCheckers) {
-            apiChecker.checkAccess(user, commandName);
+            apiChecker.checkAccess(user, commandName, apiKeyPairPermissions);
         }
     }
 
diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java
index dd99b4e13ca..bfeb3d276e4 100644
--- a/server/src/main/java/com/cloud/api/ApiServlet.java
+++ b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -343,7 +343,7 @@ public class ApiServlet extends HttpServlet {
                     return;
                 }
             } else {
-                LOGGER.trace("no command available");
+                LOGGER.trace("No command available.");
             }
             auditTrailSb.append(cleanQueryString);
             final boolean isNew = ((session == null) ? true : session.isNew());
@@ -353,7 +353,7 @@ public class ApiServlet extends HttpServlet {
             // if a API key exists
 
             if (isNew && LOGGER.isTraceEnabled()) {
-                LOGGER.trace(String.format("new session: %s", session));
+                LOGGER.trace(String.format("New session: %s.", session));
             }
 
             if (!isNew && (command.equalsIgnoreCase(ValidateUserTwoFactorAuthenticationCodeCmd.APINAME) || (!skip2FAcheckForAPIs(command) && !skip2FAcheckForUser(session)))) {
diff --git a/server/src/main/java/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java b/server/src/main/java/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java
index 4514ed83178..0d1e1d96674 100644
--- a/server/src/main/java/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java
+++ b/server/src/main/java/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java
@@ -20,6 +20,7 @@ import com.cloud.api.ApiServlet;
 import com.cloud.domain.Domain;
 import com.cloud.user.User;
 import com.cloud.user.UserAccount;
+import com.cloud.utils.StringUtils;
 import org.apache.cloudstack.api.ApiServerService;
 import com.cloud.api.response.ApiResponseSerializer;
 import com.cloud.exception.CloudAuthenticationException;
@@ -115,14 +116,14 @@ public class DefaultLoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthe
         // FIXME: ported from ApiServlet, refactor and cleanup
         final String[] username = (String[])params.get(ApiConstants.USERNAME);
         final String[] password = (String[])params.get(ApiConstants.PASSWORD);
-        final String[] domainIdArr = (String[])params.get(ApiConstants.DOMAIN_ID);
+        String domainIdStr = _apiServer.getDomainId(params);
         Long domainId = null;
-        if (domainIdArr != null && domainIdArr.length > 0) {
+        if (StringUtils.isNotEmpty(domainIdStr)) {
             try {
                 //check if UUID is passed in for domain
-                domainId = _apiServer.fetchDomainId(domainIdArr[0]);
+                domainId = _apiServer.fetchDomainId(domainIdStr);
                 if (domainId == null) {
-                    domainId = Long.parseLong(domainIdArr[0]);
+                    domainId = Long.parseLong(domainIdStr);
                 }
                 auditTrailSb.append(" domainid=" + domainId);// building the params for POST call
             } catch (final NumberFormatException e) {
diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
index 0cec3a38075..fb97e2f3d8d 100644
--- a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
@@ -37,6 +37,13 @@ import java.util.stream.Stream;
 
 import javax.inject.Inject;
 
+import com.cloud.network.PublicIpQuarantine;
+import com.cloud.network.dao.PublicIpQuarantineDao;
+import com.cloud.network.vo.PublicIpQuarantineVO;
+import com.cloud.user.UserVO;
+import org.apache.cloudstack.acl.RoleService;
+import org.apache.cloudstack.acl.RoleVO;
+import org.apache.cloudstack.acl.dao.RoleDao;
 import com.cloud.dc.Pod;
 import com.cloud.dc.dao.DataCenterDao;
 import com.cloud.dc.dao.HostPodDao;
@@ -178,6 +185,7 @@ import org.apache.cloudstack.storage.datastore.db.SnapshotDataStoreVO;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolDetailVO;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolDetailsDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
+import org.apache.cloudstack.utils.baremetal.BaremetalUtils;
 import org.apache.cloudstack.vm.lease.VMLeaseManager;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.collections.MapUtils;
@@ -262,7 +270,6 @@ import com.cloud.host.dao.HostDao;
 import com.cloud.host.dao.HostTagsDao;
 import com.cloud.hypervisor.Hypervisor;
 import com.cloud.hypervisor.Hypervisor.HypervisorType;
-import com.cloud.network.PublicIpQuarantine;
 import com.cloud.network.RouterHealthCheckResult;
 import com.cloud.network.VNF;
 import com.cloud.network.VpcVirtualNetworkApplianceService;
@@ -272,13 +279,11 @@ import com.cloud.network.dao.IPAddressDao;
 import com.cloud.network.dao.IPAddressVO;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkVO;
-import com.cloud.network.dao.PublicIpQuarantineDao;
 import com.cloud.network.dao.RouterHealthCheckResultDao;
 import com.cloud.network.dao.RouterHealthCheckResultVO;
 import com.cloud.network.router.VirtualNetworkApplianceManager;
 import com.cloud.network.security.SecurityGroupVMMapVO;
 import com.cloud.network.security.dao.SecurityGroupVMMapDao;
-import com.cloud.network.vo.PublicIpQuarantineVO;
 import com.cloud.offering.DiskOffering;
 import com.cloud.offering.ServiceOffering;
 import com.cloud.org.Grouping;
@@ -377,6 +382,9 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
     @Inject
     AccountManager accountMgr;
 
+    @Inject
+    RoleService roleService;
+
     @Inject
     ProjectManager _projectMgr;
 
@@ -646,6 +654,9 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
     @Inject
     ExtensionHelper extensionHelper;
 
+    @Inject
+    RoleDao roleDao;
+
     /*
      * (non-Javadoc)
      *
@@ -825,6 +836,37 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
         return _userAccountJoinDao.searchAndCount(sc, searchFilter);
     }
 
+    @Override
+    public List<Long> searchForAccessibleUsers() {
+        List<Long> permittedAccounts = new ArrayList<>();
+        Account callingAccount = CallContext.current().getCallingAccount();
+        Filter searchFilter = new Filter(UserAccountJoinVO.class, "id", true);
+        List<RoleVO> allowedRoles = roleDao.listAll();
+        roleService.removeRolesIfNeeded(allowedRoles);
+        List<Long> allowedRolesId = allowedRoles.stream().map(RoleVO::getId).collect(Collectors.toList());
+
+        Pair<List<UserAccountJoinVO>, Integer> usersPair = getUserListInternal(callingAccount, permittedAccounts,
+                true, null, null, null, null, null, null, null, callingAccount.getDomainId(), true, searchFilter, null);
+        return usersPair.first().stream().filter(userAccount -> {
+            if (BaremetalUtils.BAREMETAL_SYSTEM_ACCOUNT_NAME.equals(userAccount.getUsername()) && !accountMgr.isRootAdmin(callingAccount.getId())) {
+                return false;
+            }
+
+            AccountVO accountVO = _accountDao.findByIdIncludingRemoved(userAccount.getAccountId());
+            UserVO userVO = userDao.findByIdIncludingRemoved(userAccount.getId());
+            if (ObjectUtils.anyNull(accountVO, userVO)) {
+                return false;
+            }
+
+            try {
+                accountMgr.checkCallerRoleTypeAllowedForUserOrAccountOperations(accountVO, userVO);
+            } catch (PermissionDeniedException exception) {
+                return false;
+            }
+            return allowedRolesId.contains(userAccount.getAccountRoleId());
+        }).map(UserAccountJoinVO::getId).collect(Collectors.toList());
+    }
+
     @Override
     public ListResponse<EventResponse> searchForEvents(ListEventsCmd cmd) {
         Pair<List<EventJoinVO>, Integer> result = searchForEventsInternal(cmd);
diff --git a/server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDao.java b/server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDao.java
index cff758d0c17..e0d88fbfde7 100644
--- a/server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDao.java
+++ b/server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDao.java
@@ -19,6 +19,7 @@ package com.cloud.api.query.dao;
 import java.util.List;
 
 import org.apache.cloudstack.api.ResponseObject;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import org.apache.cloudstack.api.response.UserResponse;
 
 import com.cloud.api.query.vo.UserAccountJoinVO;
@@ -28,7 +29,7 @@ import com.cloud.utils.db.GenericDao;
 
 public interface UserAccountJoinDao extends GenericDao<UserAccountJoinVO, Long> {
 
-    UserResponse newUserResponse(ResponseObject.ResponseView responseView, UserAccountJoinVO usr);
+    UserResponse newUserResponse(ResponseObject.ResponseView responseView, UserAccountJoinVO usr, ApiKeyPairVO lastKeyPair);
 
     UserAccountJoinVO newUserView(User usr);
 
diff --git a/server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDaoImpl.java b/server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDaoImpl.java
index f2c234b4c7c..f7dddb3ac07 100644
--- a/server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDaoImpl.java
+++ b/server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDaoImpl.java
@@ -19,8 +19,10 @@ package com.cloud.api.query.dao;
 import java.util.List;
 
 
+import com.cloud.user.AccountManager;
 import com.cloud.user.AccountManagerImpl;
 import org.apache.cloudstack.api.ResponseObject.ResponseView;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import org.springframework.stereotype.Component;
 
 import org.apache.cloudstack.api.response.UserResponse;
@@ -53,7 +55,7 @@ public class UserAccountJoinDaoImpl extends GenericDaoBase<UserAccountJoinVO, Lo
     }
 
     @Override
-    public UserResponse newUserResponse(ResponseView view, UserAccountJoinVO usr) {
+    public UserResponse newUserResponse(ResponseView view, UserAccountJoinVO usr, ApiKeyPairVO lastKeyPair) {
         UserResponse userResponse = new UserResponse();
         userResponse.setAccountId(usr.getAccountUuid());
         userResponse.setAccountName(usr.getAccountName());
@@ -69,10 +71,14 @@ public class UserAccountJoinDaoImpl extends GenericDaoBase<UserAccountJoinVO, Lo
         userResponse.setState(usr.getState().toString());
         userResponse.setTimezone(usr.getTimezone());
         userResponse.setUsername(usr.getUsername());
-        userResponse.setApiKey(usr.getApiKey());
-        userResponse.setSecretKey(usr.getSecretKey());
         userResponse.setIsDefault(usr.isDefault());
         userResponse.set2FAenabled(usr.isUser2faEnabled());
+        if (lastKeyPair != null) {
+            userResponse.setApiKey(lastKeyPair.getApiKey());
+            if (AccountManager.UseSecretKeyInResponse.value()) {
+                userResponse.setSecretKey(lastKeyPair.getSecretKey());
+            }
+        }
         long domainId = usr.getDomainId();
         boolean is2FAmandated = Boolean.TRUE.equals(AccountManagerImpl.enableUserTwoFactorAuthentication.valueIn(domainId)) && Boolean.TRUE.equals(AccountManagerImpl.mandateUserTwoFactorAuthentication.valueIn(domainId));
         userResponse.set2FAmandated(is2FAmandated);
diff --git a/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java b/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
index 7ea4b7d5834..e7fe07a18c7 100644
--- a/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
+++ b/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
@@ -77,6 +77,7 @@ public class VpcOfferingJoinDaoImpl extends GenericDaoBase<VpcOfferingJoinVO, Lo
         if (offering.isSpecifyAsNumber() != null) {
             offeringResponse.setSpecifyAsNumber(offering.isSpecifyAsNumber());
         }
+        offeringResponse.setConserveMode(offering.isConserveMode());
         if (offering instanceof VpcOfferingJoinVO) {
             VpcOfferingJoinVO offeringJoinVO = (VpcOfferingJoinVO) offering;
             offeringResponse.setDomainId(offeringJoinVO.getDomainUuid());
diff --git a/server/src/main/java/com/cloud/api/query/vo/UserAccountJoinVO.java b/server/src/main/java/com/cloud/api/query/vo/UserAccountJoinVO.java
index ad005eebb76..774759da607 100644
--- a/server/src/main/java/com/cloud/api/query/vo/UserAccountJoinVO.java
+++ b/server/src/main/java/com/cloud/api/query/vo/UserAccountJoinVO.java
@@ -19,7 +19,6 @@ package com.cloud.api.query.vo;
 import com.cloud.user.Account;
 import com.cloud.user.User;
 import com.cloud.user.UserAccount;
-import com.cloud.utils.db.Encrypt;
 import com.cloud.utils.db.GenericDao;
 import org.apache.cloudstack.api.Identity;
 import org.apache.cloudstack.api.InternalIdentity;
@@ -61,13 +60,6 @@ public class UserAccountJoinVO extends BaseViewVO implements InternalIdentity, I
     @Column(name = "state")
     private String state;
 
-    @Column(name = "api_key")
-    private String apiKey = null;
-
-    @Encrypt
-    @Column(name = "secret_key")
-    private String secretKey = null;
-
     @Column(name = GenericDao.CREATED_COLUMN)
     private Date created;
 
@@ -209,14 +201,6 @@ public class UserAccountJoinVO extends BaseViewVO implements InternalIdentity, I
         return state;
     }
 
-    public String getApiKey() {
-        return apiKey;
-    }
-
-    public String getSecretKey() {
-        return secretKey;
-    }
-
     public Date getCreated() {
         return created;
     }
diff --git a/server/src/main/java/com/cloud/api/query/vo/VpcOfferingJoinVO.java b/server/src/main/java/com/cloud/api/query/vo/VpcOfferingJoinVO.java
index 4e0707edf88..9d65c19479f 100644
--- a/server/src/main/java/com/cloud/api/query/vo/VpcOfferingJoinVO.java
+++ b/server/src/main/java/com/cloud/api/query/vo/VpcOfferingJoinVO.java
@@ -112,6 +112,9 @@ public class VpcOfferingJoinVO implements VpcOffering {
     @Column(name = "specify_as_number")
     private Boolean specifyAsNumber = false;
 
+    @Column(name = "conserve_mode")
+    private boolean conserveMode;
+
     public VpcOfferingJoinVO() {
     }
 
@@ -178,6 +181,11 @@ public class VpcOfferingJoinVO implements VpcOffering {
         return specifyAsNumber;
     }
 
+    @Override
+    public boolean isConserveMode() {
+        return conserveMode;
+    }
+
     public void setSpecifyAsNumber(Boolean specifyAsNumber) {
         this.specifyAsNumber = specifyAsNumber;
     }
diff --git a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
index 0ce4b913a02..6cc816a81de 100644
--- a/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java
@@ -22,6 +22,7 @@ import static com.cloud.offering.NetworkOffering.RoutingMode.Static;
 import static org.apache.cloudstack.framework.config.ConfigKey.CATEGORY_SYSTEM;
 
 import java.io.UnsupportedEncodingException;
+import java.lang.reflect.Field;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLDecoder;
@@ -67,15 +68,18 @@ import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.command.admin.config.ResetCfgCmd;
 import org.apache.cloudstack.api.command.admin.config.UpdateCfgCmd;
+import org.apache.cloudstack.api.command.admin.network.CloneNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateGuestNetworkIpv6PrefixCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateManagementNetworkIpRangeCmd;
-import org.apache.cloudstack.api.command.admin.network.CreateNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteGuestNetworkIpv6PrefixCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteManagementNetworkIpRangeCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.ListGuestNetworkIpv6PrefixesCmd;
+import org.apache.cloudstack.api.command.admin.network.NetworkOfferingBaseCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdateNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdatePodManagementNetworkIpRangeCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneDiskOfferingCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateDiskOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.DeleteDiskOfferingCmd;
@@ -3854,6 +3858,459 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
         return false;
     }
 
+    @Override
+    @ActionEvent(eventType = EventTypes.EVENT_SERVICE_OFFERING_CLONE, eventDescription = "cloning service offering")
+    public ServiceOffering cloneServiceOffering(final CloneServiceOfferingCmd cmd) {
+        final long userId = CallContext.current().getCallingUserId();
+        final ServiceOfferingVO sourceOffering = getAndValidateSourceOffering(cmd.getSourceOfferingId());
+        final DiskOfferingVO sourceDiskOffering = getSourceDiskOffering(sourceOffering);
+        final Map<String, String> requestParams = cmd.getFullUrlParams();
+
+        final String name = cmd.getServiceOfferingName();
+        final String displayText = getOrDefault(cmd.getDisplayText(), sourceOffering.getDisplayText());
+        final Integer cpuNumber = getOrDefault(cmd.getCpuNumber(), sourceOffering.getCpu());
+        final Integer cpuSpeed = getOrDefault(cmd.getCpuSpeed(), sourceOffering.getSpeed());
+        final Integer memory = getOrDefault(cmd.getMemory(), sourceOffering.getRamSize());
+        final String provisioningType = resolveProvisioningType(cmd, sourceDiskOffering);
+
+        final Boolean offerHa = resolveBooleanParam(requestParams, ApiConstants.OFFER_HA, cmd::isOfferHa, sourceOffering.isOfferHA());
+        final Boolean limitCpuUse = resolveBooleanParam(requestParams, ApiConstants.LIMIT_CPU_USE, cmd::isLimitCpuUse, sourceOffering.getLimitCpuUse());
+        final Boolean isVolatile = resolveBooleanParam(requestParams, ApiConstants.IS_VOLATILE, cmd::isVolatileVm, sourceOffering.isVolatileVm());
+        final Boolean isCustomized = resolveBooleanParam(requestParams, ApiConstants.CUSTOMIZED, cmd::isCustomized, sourceOffering.isCustomized());
+        final Boolean dynamicScalingEnabled = resolveBooleanParam(requestParams, ApiConstants.DYNAMIC_SCALING_ENABLED, cmd::getDynamicScalingEnabled, sourceOffering.isDynamicScalingEnabled());
+        final Boolean diskOfferingStrictness = resolveBooleanParam(requestParams, ApiConstants.DISK_OFFERING_STRICTNESS, cmd::getDiskOfferingStrictness, sourceOffering.getDiskOfferingStrictness());
+        final Boolean encryptRoot = resolveBooleanParam(requestParams, ApiConstants.ENCRYPT_ROOT, cmd::getEncryptRoot, sourceDiskOffering != null && sourceDiskOffering.getEncrypt());
+        final Boolean gpuDisplay = resolveBooleanParam(requestParams, ApiConstants.GPU_DISPLAY, cmd::getGpuDisplay, sourceOffering.getGpuDisplay());
+
+        final String storageType = resolveStorageType(cmd, sourceDiskOffering);
+        final String tags = getOrDefault(cmd.getTags(), sourceDiskOffering != null ? sourceDiskOffering.getTags() : null);
+        final List<Long> domainIds = resolveDomainIds(cmd, sourceOffering);
+        final List<Long> zoneIds = resolveZoneIds(cmd, sourceOffering);
+        final String hostTag = getOrDefault(cmd.getHostTag(), sourceOffering.getHostTag());
+        final Integer networkRate = getOrDefault(cmd.getNetworkRate(), sourceOffering.getRateMbps());
+        final String deploymentPlanner = getOrDefault(cmd.getDeploymentPlanner(), sourceOffering.getDeploymentPlanner());
+
+        final ClonedDiskOfferingParams diskParams = resolveDiskOfferingParams(cmd, sourceDiskOffering);
+
+        final CustomOfferingParams customParams = resolveCustomOfferingParams(cmd, sourceOffering, isCustomized);
+
+        final Long vgpuProfileId = getOrDefault(cmd.getVgpuProfileId(), sourceOffering.getVgpuProfileId());
+        final Integer gpuCount = getOrDefault(cmd.getGpuCount(), sourceOffering.getGpuCount());
+
+        final Boolean purgeResources = resolvePurgeResources(cmd, requestParams, sourceOffering);
+        final LeaseParams leaseParams = resolveLeaseParams(cmd, sourceOffering);
+
+        if (cmd.getCacheMode() != null) {
+            validateCacheMode(cmd.getCacheMode());
+        }
+        final Integer finalGpuCount = validateVgpuProfileAndGetGpuCount(vgpuProfileId, gpuCount);
+
+        final Map<String, String> mergedDetails = mergeOfferingDetails(cmd, sourceOffering, customParams);
+
+        final boolean localStorageRequired = ServiceOffering.StorageType.local.toString().equalsIgnoreCase(storageType);
+
+        final boolean systemUse = sourceOffering.isSystemUse();
+        final VirtualMachine.Type vmType = resolveVmType(sourceOffering);
+
+        final Long diskOfferingId = getOrDefault(cmd.getDiskOfferingId(), sourceOffering.getDiskOfferingId());
+
+        return createServiceOffering(userId, systemUse, vmType,
+                name, cpuNumber, memory, cpuSpeed, displayText, provisioningType, localStorageRequired,
+                offerHa, limitCpuUse, isVolatile, tags, domainIds, zoneIds, hostTag, networkRate,
+                deploymentPlanner, mergedDetails, diskParams.rootDiskSize, diskParams.isCustomizedIops,
+                diskParams.minIops, diskParams.maxIops,
+                diskParams.bytesReadRate, diskParams.bytesReadRateMax, diskParams.bytesReadRateMaxLength,
+                diskParams.bytesWriteRate, diskParams.bytesWriteRateMax, diskParams.bytesWriteRateMaxLength,
+                diskParams.iopsReadRate, diskParams.iopsReadRateMax, diskParams.iopsReadRateMaxLength,
+                diskParams.iopsWriteRate, diskParams.iopsWriteRateMax, diskParams.iopsWriteRateMaxLength,
+                diskParams.hypervisorSnapshotReserve, diskParams.cacheMode, customParams.storagePolicy, dynamicScalingEnabled,
+                diskOfferingId, diskOfferingStrictness, isCustomized, encryptRoot,
+                vgpuProfileId, finalGpuCount, gpuDisplay, purgeResources, leaseParams.leaseDuration, leaseParams.leaseExpiryAction);
+    }
+
+    private ServiceOfferingVO getAndValidateSourceOffering(Long sourceOfferingId) {
+        final ServiceOfferingVO sourceOffering = _serviceOfferingDao.findById(sourceOfferingId);
+        if (sourceOffering == null) {
+            throw new InvalidParameterValueException("Unable to find service offering with ID: " + sourceOfferingId);
+        }
+        return sourceOffering;
+    }
+
+    private DiskOfferingVO getSourceDiskOffering(ServiceOfferingVO sourceOffering) {
+        final Long sourceDiskOfferingId = sourceOffering.getDiskOfferingId();
+        return sourceDiskOfferingId != null ? _diskOfferingDao.findById(sourceDiskOfferingId) : null;
+    }
+
+    public <T> T getOrDefault(T cmdValue, T defaultValue) {
+        return cmdValue != null ? cmdValue : defaultValue;
+    }
+
+    public Boolean resolveBooleanParam(Map<String, String> requestParams, String paramKey,
+                                       java.util.function.Supplier<Boolean> cmdValueSupplier, Boolean defaultValue) {
+        return requestParams != null && requestParams.containsKey(paramKey) ? cmdValueSupplier.get() : defaultValue;
+    }
+
+    private String resolveProvisioningType(CloneServiceOfferingCmd cmd, DiskOfferingVO sourceDiskOffering) {
+        if (cmd.getProvisioningType() != null) {
+            return cmd.getProvisioningType();
+        }
+        if (sourceDiskOffering != null) {
+            return sourceDiskOffering.getProvisioningType().toString();
+        }
+        return Storage.ProvisioningType.THIN.toString();
+    }
+
+    private String resolveStorageType(CloneServiceOfferingCmd cmd, DiskOfferingVO sourceDiskOffering) {
+        if (cmd.getStorageType() != null) {
+            return cmd.getStorageType();
+        }
+        if (sourceDiskOffering != null && sourceDiskOffering.isUseLocalStorage()) {
+            return ServiceOffering.StorageType.local.toString();
+        }
+        return ServiceOffering.StorageType.shared.toString();
+    }
+
+    private List<Long> resolveDomainIds(CloneServiceOfferingCmd cmd, ServiceOfferingVO sourceOffering) {
+        List<Long> domainIds = cmd.getDomainIds();
+        if (domainIds == null || domainIds.isEmpty()) {
+            domainIds = _serviceOfferingDetailsDao.findDomainIds(sourceOffering.getId());
+        }
+        return domainIds;
+    }
+
+    private List<Long> resolveZoneIds(CloneServiceOfferingCmd cmd, ServiceOfferingVO sourceOffering) {
+        List<Long> zoneIds = cmd.getZoneIds();
+        if (zoneIds == null || zoneIds.isEmpty()) {
+            zoneIds = _serviceOfferingDetailsDao.findZoneIds(sourceOffering.getId());
+        }
+        return zoneIds;
+    }
+
+    private ClonedDiskOfferingParams resolveDiskOfferingParams(CloneServiceOfferingCmd cmd, DiskOfferingVO sourceDiskOffering) {
+        final ClonedDiskOfferingParams params = new ClonedDiskOfferingParams();
+
+        params.rootDiskSize = getOrDefault(cmd.getRootDiskSize(), sourceDiskOffering != null ? sourceDiskOffering.getDiskSize() : null);
+        params.bytesReadRate = getOrDefault(cmd.getBytesReadRate(), sourceDiskOffering != null ? sourceDiskOffering.getBytesReadRate() : null);
+        params.bytesReadRateMax = getOrDefault(cmd.getBytesReadRateMax(), sourceDiskOffering != null ? sourceDiskOffering.getBytesReadRateMax() : null);
+        params.bytesReadRateMaxLength = getOrDefault(cmd.getBytesReadRateMaxLength(), sourceDiskOffering != null ? sourceDiskOffering.getBytesReadRateMaxLength() : null);
+        params.bytesWriteRate = getOrDefault(cmd.getBytesWriteRate(), sourceDiskOffering != null ? sourceDiskOffering.getBytesWriteRate() : null);
+        params.bytesWriteRateMax = getOrDefault(cmd.getBytesWriteRateMax(), sourceDiskOffering != null ? sourceDiskOffering.getBytesWriteRateMax() : null);
+        params.bytesWriteRateMaxLength = getOrDefault(cmd.getBytesWriteRateMaxLength(), sourceDiskOffering != null ? sourceDiskOffering.getBytesWriteRateMaxLength() : null);
+        params.iopsReadRate = getOrDefault(cmd.getIopsReadRate(), sourceDiskOffering != null ? sourceDiskOffering.getIopsReadRate() : null);
+        params.iopsReadRateMax = getOrDefault(cmd.getIopsReadRateMax(), sourceDiskOffering != null ? sourceDiskOffering.getIopsReadRateMax() : null);
+        params.iopsReadRateMaxLength = getOrDefault(cmd.getIopsReadRateMaxLength(), sourceDiskOffering != null ? sourceDiskOffering.getIopsReadRateMaxLength() : null);
+        params.iopsWriteRate = getOrDefault(cmd.getIopsWriteRate(), sourceDiskOffering != null ? sourceDiskOffering.getIopsWriteRate() : null);
+        params.iopsWriteRateMax = getOrDefault(cmd.getIopsWriteRateMax(), sourceDiskOffering != null ? sourceDiskOffering.getIopsWriteRateMax() : null);
+        params.iopsWriteRateMaxLength = getOrDefault(cmd.getIopsWriteRateMaxLength(), sourceDiskOffering != null ? sourceDiskOffering.getIopsWriteRateMaxLength() : null);
+        params.isCustomizedIops = getOrDefault(cmd.isCustomizedIops(), sourceDiskOffering != null ? sourceDiskOffering.isCustomizedIops() : null);
+        params.minIops = getOrDefault(cmd.getMinIops(), sourceDiskOffering != null ? sourceDiskOffering.getMinIops() : null);
+        params.maxIops = getOrDefault(cmd.getMaxIops(), sourceDiskOffering != null ? sourceDiskOffering.getMaxIops() : null);
+        params.hypervisorSnapshotReserve = getOrDefault(cmd.getHypervisorSnapshotReserve(), sourceDiskOffering != null ? sourceDiskOffering.getHypervisorSnapshotReserve() : null);
+
+        if (cmd.getCacheMode() != null) {
+            params.cacheMode = cmd.getCacheMode();
+        } else if (sourceDiskOffering != null && sourceDiskOffering.getCacheMode() != null) {
+            params.cacheMode = sourceDiskOffering.getCacheMode().toString();
+        }
+
+        return params;
+    }
+
+    private CustomOfferingParams resolveCustomOfferingParams(CloneServiceOfferingCmd cmd, ServiceOfferingVO sourceOffering, Boolean isCustomized) {
+        final CustomOfferingParams params = new CustomOfferingParams();
+
+        params.maxCPU = resolveDetailParameter(cmd.getMaxCPUs(), sourceOffering.getId(), ApiConstants.MAX_CPU_NUMBER);
+        params.minCPU = resolveDetailParameter(cmd.getMinCPUs(), sourceOffering.getId(), ApiConstants.MIN_CPU_NUMBER);
+        params.maxMemory = resolveDetailParameter(cmd.getMaxMemory(), sourceOffering.getId(), ApiConstants.MAX_MEMORY);
+        params.minMemory = resolveDetailParameter(cmd.getMinMemory(), sourceOffering.getId(), ApiConstants.MIN_MEMORY);
+        params.storagePolicy = resolveDetailParameterAsLong(cmd.getStoragePolicy(), sourceOffering.getId(), ApiConstants.STORAGE_POLICY);
+
+        return params;
+    }
+
+    private Integer resolveDetailParameter(Integer cmdValue, Long offeringId, String detailKey) {
+        if (cmdValue != null) {
+            return cmdValue;
+        }
+        String detailValue = _serviceOfferingDetailsDao.getDetail(offeringId, detailKey);
+        return detailValue != null ? Integer.parseInt(detailValue) : null;
+    }
+
+    private Long resolveDetailParameterAsLong(Long cmdValue, Long offeringId, String detailKey) {
+        if (cmdValue != null) {
+            return cmdValue;
+        }
+        String detailValue = _serviceOfferingDetailsDao.getDetail(offeringId, detailKey);
+        return detailValue != null ? Long.parseLong(detailValue) : null;
+    }
+
+    private Boolean resolvePurgeResources(CloneServiceOfferingCmd cmd, Map<String, String> requestParams, ServiceOfferingVO sourceOffering) {
+        if (requestParams != null && requestParams.containsKey(ApiConstants.PURGE_RESOURCES)) {
+            return cmd.isPurgeResources();
+        }
+        String purgeResourcesStr = _serviceOfferingDetailsDao.getDetail(sourceOffering.getId(), ServiceOffering.PURGE_DB_ENTITIES_KEY);
+        return Boolean.parseBoolean(purgeResourcesStr);
+    }
+
+    private LeaseParams resolveLeaseParams(CloneServiceOfferingCmd cmd, ServiceOfferingVO sourceOffering) {
+        final LeaseParams params = new LeaseParams();
+
+        params.leaseDuration = resolveDetailParameter(cmd.getLeaseDuration(), sourceOffering.getId(), ApiConstants.INSTANCE_LEASE_DURATION);
+
+        if (cmd.getLeaseExpiryAction() != null) {
+            params.leaseExpiryAction = cmd.getLeaseExpiryAction();
+        } else {
+            String leaseExpiryActionStr = _serviceOfferingDetailsDao.getDetail(sourceOffering.getId(), ApiConstants.INSTANCE_LEASE_EXPIRY_ACTION);
+            if (leaseExpiryActionStr != null) {
+                params.leaseExpiryAction = VMLeaseManager.ExpiryAction.valueOf(leaseExpiryActionStr);
+            }
+        }
+
+        params.leaseExpiryAction = validateAndGetLeaseExpiryAction(params.leaseDuration, params.leaseExpiryAction);
+        return params;
+    }
+
+    private Map<String, String> mergeOfferingDetails(CloneServiceOfferingCmd cmd, ServiceOfferingVO sourceOffering, CustomOfferingParams customParams) {
+        final Map<String, String> cmdDetails = cmd.getDetails();
+        final Map<String, String> mergedDetails = new HashMap<>();
+
+        if (cmdDetails == null || cmdDetails.isEmpty()) {
+            Map<String, String> sourceDetails = _serviceOfferingDetailsDao.listDetailsKeyPairs(sourceOffering.getId());
+            if (sourceDetails != null) {
+                mergedDetails.putAll(sourceDetails);
+            }
+        } else {
+            mergedDetails.putAll(cmdDetails);
+        }
+
+        if (customParams.minCPU != null && customParams.maxCPU != null &&
+            customParams.minMemory != null && customParams.maxMemory != null) {
+            mergedDetails.put(ApiConstants.MIN_MEMORY, customParams.minMemory.toString());
+            mergedDetails.put(ApiConstants.MAX_MEMORY, customParams.maxMemory.toString());
+            mergedDetails.put(ApiConstants.MIN_CPU_NUMBER, customParams.minCPU.toString());
+            mergedDetails.put(ApiConstants.MAX_CPU_NUMBER, customParams.maxCPU.toString());
+        }
+
+        return mergedDetails;
+    }
+
+    private VirtualMachine.Type resolveVmType(ServiceOfferingVO sourceOffering) {
+        if (sourceOffering.getVmType() == null) {
+            return null;
+        }
+        try {
+            return VirtualMachine.Type.valueOf(sourceOffering.getVmType());
+        } catch (IllegalArgumentException e) {
+            logger.warn("Invalid VM type in source offering: {}", sourceOffering.getVmType());
+            return null;
+        }
+    }
+
+    private static class ClonedDiskOfferingParams {
+        Long rootDiskSize;
+        Long bytesReadRate;
+        Long bytesReadRateMax;
+        Long bytesReadRateMaxLength;
+        Long bytesWriteRate;
+        Long bytesWriteRateMax;
+        Long bytesWriteRateMaxLength;
+        Long iopsReadRate;
+        Long iopsReadRateMax;
+        Long iopsReadRateMaxLength;
+        Long iopsWriteRate;
+        Long iopsWriteRateMax;
+        Long iopsWriteRateMaxLength;
+        Boolean isCustomizedIops;
+        Long minIops;
+        Long maxIops;
+        Integer hypervisorSnapshotReserve;
+        String cacheMode;
+    }
+
+    private static class CustomOfferingParams {
+        Integer maxCPU;
+        Integer minCPU;
+        Integer maxMemory;
+        Integer minMemory;
+        Long storagePolicy;
+    }
+
+    private static class LeaseParams {
+        Integer leaseDuration;
+        VMLeaseManager.ExpiryAction leaseExpiryAction;
+    }
+
+    @Override
+    @ActionEvent(eventType = EventTypes.EVENT_DISK_OFFERING_CLONE, eventDescription = "cloning disk offering")
+    public DiskOffering cloneDiskOffering(final CloneDiskOfferingCmd cmd) {
+        final long userId = CallContext.current().getCallingUserId();
+        final DiskOfferingVO sourceOffering = getAndValidateSourceDiskOffering(cmd.getSourceOfferingId());
+        final Map<String, String> requestParams = cmd.getFullUrlParams();
+
+        final String name = cmd.getOfferingName();
+        final String displayText = getOrDefault(cmd.getDisplayText(), sourceOffering.getDisplayText());
+        final String provisioningType = getOrDefault(cmd.getProvisioningType(), sourceOffering.getProvisioningType().toString());
+        final Long diskSize = getOrDefault(cmd.getDiskSize(), sourceOffering.getDiskSize());
+        final String tags = getOrDefault(cmd.getTags(), sourceOffering.getTags());
+
+        final Boolean isCustomized = resolveBooleanParam(requestParams, ApiConstants.CUSTOMIZED, cmd::isCustomized, sourceOffering.isCustomized());
+        final Boolean displayOffering = resolveBooleanParam(requestParams, ApiConstants.DISPLAY_OFFERING, cmd::getDisplayOffering, sourceOffering.getDisplayOffering());
+        final Boolean isCustomizedIops = getOrDefault(cmd.isCustomizedIops(), sourceOffering.isCustomizedIops());
+        final Boolean diskSizeStrictness = resolveBooleanParam(requestParams, ApiConstants.DISK_SIZE_STRICTNESS, cmd::getDiskSizeStrictness, sourceOffering.getDiskSizeStrictness());
+        final Boolean encrypt = resolveBooleanParam(requestParams, ApiConstants.ENCRYPT, cmd::getEncrypt, sourceOffering.getEncrypt());
+
+        final List<Long> domainIds = resolveDomainIdsForDiskOffering(cmd, sourceOffering);
+        final List<Long> zoneIds = resolveZoneIdsForDiskOffering(cmd, sourceOffering);
+
+        final boolean localStorageRequired = resolveLocalStorageRequired(cmd, sourceOffering);
+
+        final ClonedDiskIopsParams iopsParams = resolveDiskIopsParams(cmd, sourceOffering);
+
+        final ClonedDiskRateParams rateParams = resolveDiskRateParams(cmd, sourceOffering);
+
+        final Integer hypervisorSnapshotReserve = getOrDefault(cmd.getHypervisorSnapshotReserve(), sourceOffering.getHypervisorSnapshotReserve());
+        final String cacheMode = resolveCacheMode(cmd, sourceOffering);
+        final Long storagePolicy = resolveStoragePolicyForDiskOffering(cmd, sourceOffering);
+
+        final Map<String, String> mergedDetails = mergeDiskOfferingDetails(cmd, sourceOffering);
+
+        if (cmd.getCacheMode() != null) {
+            validateCacheMode(cmd.getCacheMode());
+        }
+
+        validateMaxRateEqualsOrGreater(iopsParams.iopsReadRate, iopsParams.iopsReadRateMax, IOPS_READ_RATE);
+        validateMaxRateEqualsOrGreater(iopsParams.iopsWriteRate, iopsParams.iopsWriteRateMax, IOPS_WRITE_RATE);
+        validateMaxRateEqualsOrGreater(rateParams.bytesReadRate, rateParams.bytesReadRateMax, BYTES_READ_RATE);
+        validateMaxRateEqualsOrGreater(rateParams.bytesWriteRate, rateParams.bytesWriteRateMax, BYTES_WRITE_RATE);
+        validateMaximumIopsAndBytesLength(iopsParams.iopsReadRateMaxLength, iopsParams.iopsWriteRateMaxLength,
+                                          rateParams.bytesReadRateMaxLength, rateParams.bytesWriteRateMaxLength);
+
+        return createDiskOffering(userId, domainIds, zoneIds, name, displayText, provisioningType, diskSize, tags,
+                isCustomized, localStorageRequired, displayOffering, isCustomizedIops, iopsParams.minIops, iopsParams.maxIops,
+                rateParams.bytesReadRate, rateParams.bytesReadRateMax, rateParams.bytesReadRateMaxLength,
+                rateParams.bytesWriteRate, rateParams.bytesWriteRateMax, rateParams.bytesWriteRateMaxLength,
+                iopsParams.iopsReadRate, iopsParams.iopsReadRateMax, iopsParams.iopsReadRateMaxLength,
+                iopsParams.iopsWriteRate, iopsParams.iopsWriteRateMax, iopsParams.iopsWriteRateMaxLength,
+                hypervisorSnapshotReserve, cacheMode, mergedDetails, storagePolicy, diskSizeStrictness, encrypt);
+    }
+
+    private DiskOfferingVO getAndValidateSourceDiskOffering(Long sourceOfferingId) {
+        final DiskOfferingVO sourceOffering = _diskOfferingDao.findById(sourceOfferingId);
+        if (sourceOffering == null) {
+            throw new InvalidParameterValueException("Unable to find disk offering with ID: " + sourceOfferingId);
+        }
+        return sourceOffering;
+    }
+
+    private List<Long> resolveDomainIdsForDiskOffering(CloneDiskOfferingCmd cmd, DiskOfferingVO sourceOffering) {
+        List<Long> domainIds = cmd.getDomainIds();
+        if (domainIds == null || domainIds.isEmpty()) {
+            domainIds = diskOfferingDetailsDao.findDomainIds(sourceOffering.getId());
+        }
+        return domainIds;
+    }
+
+    private List<Long> resolveZoneIdsForDiskOffering(CloneDiskOfferingCmd cmd, DiskOfferingVO sourceOffering) {
+        List<Long> zoneIds = cmd.getZoneIds();
+        if (zoneIds == null || zoneIds.isEmpty()) {
+            zoneIds = diskOfferingDetailsDao.findZoneIds(sourceOffering.getId());
+        }
+        return zoneIds;
+    }
+
+    private boolean resolveLocalStorageRequired(CloneDiskOfferingCmd cmd, DiskOfferingVO sourceOffering) {
+        if (cmd.getStorageType() != null) {
+            return ServiceOffering.StorageType.local.toString().equalsIgnoreCase(cmd.getStorageType());
+        }
+        return sourceOffering.isUseLocalStorage();
+    }
+
+    private String resolveCacheMode(CloneDiskOfferingCmd cmd, DiskOfferingVO sourceOffering) {
+        if (cmd.getCacheMode() != null) {
+            return cmd.getCacheMode();
+        }
+        if (sourceOffering.getCacheMode() != null) {
+            return sourceOffering.getCacheMode().toString();
+        }
+        return null;
+    }
+
+    private Long resolveStoragePolicyForDiskOffering(CloneDiskOfferingCmd cmd, DiskOfferingVO sourceOffering) {
+        Long storagePolicy = cmd.getStoragePolicy();
+        if (storagePolicy == null) {
+            String storagePolicyStr = diskOfferingDetailsDao.getDetail(sourceOffering.getId(), ApiConstants.STORAGE_POLICY);
+            if (storagePolicyStr != null) {
+                storagePolicy = Long.parseLong(storagePolicyStr);
+            }
+        }
+        return storagePolicy;
+    }
+
+    private ClonedDiskIopsParams resolveDiskIopsParams(CloneDiskOfferingCmd cmd, DiskOfferingVO sourceOffering) {
+        final ClonedDiskIopsParams params = new ClonedDiskIopsParams();
+
+        params.minIops = getOrDefault(cmd.getMinIops(), sourceOffering.getMinIops());
+        params.maxIops = getOrDefault(cmd.getMaxIops(), sourceOffering.getMaxIops());
+        params.iopsReadRate = getOrDefault(cmd.getIopsReadRate(), sourceOffering.getIopsReadRate());
+        params.iopsReadRateMax = getOrDefault(cmd.getIopsReadRateMax(), sourceOffering.getIopsReadRateMax());
+        params.iopsReadRateMaxLength = getOrDefault(cmd.getIopsReadRateMaxLength(), sourceOffering.getIopsReadRateMaxLength());
+        params.iopsWriteRate = getOrDefault(cmd.getIopsWriteRate(), sourceOffering.getIopsWriteRate());
+        params.iopsWriteRateMax = getOrDefault(cmd.getIopsWriteRateMax(), sourceOffering.getIopsWriteRateMax());
+        params.iopsWriteRateMaxLength = getOrDefault(cmd.getIopsWriteRateMaxLength(), sourceOffering.getIopsWriteRateMaxLength());
+
+        return params;
+    }
+
+    private ClonedDiskRateParams resolveDiskRateParams(CloneDiskOfferingCmd cmd, DiskOfferingVO sourceOffering) {
+        final ClonedDiskRateParams params = new ClonedDiskRateParams();
+
+        params.bytesReadRate = getOrDefault(cmd.getBytesReadRate(), sourceOffering.getBytesReadRate());
+        params.bytesReadRateMax = getOrDefault(cmd.getBytesReadRateMax(), sourceOffering.getBytesReadRateMax());
+        params.bytesReadRateMaxLength = getOrDefault(cmd.getBytesReadRateMaxLength(), sourceOffering.getBytesReadRateMaxLength());
+        params.bytesWriteRate = getOrDefault(cmd.getBytesWriteRate(), sourceOffering.getBytesWriteRate());
+        params.bytesWriteRateMax = getOrDefault(cmd.getBytesWriteRateMax(), sourceOffering.getBytesWriteRateMax());
+        params.bytesWriteRateMaxLength = getOrDefault(cmd.getBytesWriteRateMaxLength(), sourceOffering.getBytesWriteRateMaxLength());
+
+        return params;
+    }
+
+    private Map<String, String> mergeDiskOfferingDetails(CloneDiskOfferingCmd cmd, DiskOfferingVO sourceOffering) {
+        final Map<String, String> cmdDetails = cmd.getDetails();
+        final Map<String, String> mergedDetails = new HashMap<>();
+
+        if (cmdDetails == null || cmdDetails.isEmpty()) {
+            Map<String, String> sourceDetails = diskOfferingDetailsDao.listDetailsKeyPairs(sourceOffering.getId());
+            if (sourceDetails != null) {
+                mergedDetails.putAll(sourceDetails);
+            }
+        } else {
+            mergedDetails.putAll(cmdDetails);
+        }
+
+        return mergedDetails;
+    }
+
+    // Helper classes for disk offering parameters
+    private static class ClonedDiskIopsParams {
+        Long minIops;
+        Long maxIops;
+        Long iopsReadRate;
+        Long iopsReadRateMax;
+        Long iopsReadRateMaxLength;
+        Long iopsWriteRate;
+        Long iopsWriteRateMax;
+        Long iopsWriteRateMaxLength;
+    }
+
+    private static class ClonedDiskRateParams {
+        Long bytesReadRate;
+        Long bytesReadRateMax;
+        Long bytesReadRateMaxLength;
+        Long bytesWriteRate;
+        Long bytesWriteRateMax;
+        Long bytesWriteRateMaxLength;
+    }
+
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_SERVICE_OFFERING_EDIT, eventDescription = "updating service offering")
     public ServiceOffering updateServiceOffering(final UpdateServiceOfferingCmd cmd) {
@@ -6590,7 +7047,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_NETWORK_OFFERING_CREATE, eventDescription = "creating network offering")
-    public NetworkOffering createNetworkOffering(final CreateNetworkOfferingCmd cmd) {
+    public NetworkOffering createNetworkOffering(final NetworkOfferingBaseCmd cmd) {
         final String name = cmd.getNetworkOfferingName();
         final String displayText = cmd.getDisplayText();
         final NetUtils.InternetProtocol internetProtocol = NetUtils.InternetProtocol.fromValue(cmd.getInternetProtocol());
@@ -7827,6 +8284,431 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
         }
     }
 
+    @Override
+    @ActionEvent(eventType = EventTypes.EVENT_NETWORK_OFFERING_CLONE, eventDescription = "cloning network offering")
+    public NetworkOffering cloneNetworkOffering(final CloneNetworkOfferingCmd cmd) {
+        final Long sourceOfferingId = cmd.getSourceOfferingId();
+
+        final NetworkOfferingVO sourceOffering = _networkOfferingDao.findById(sourceOfferingId);
+        if (sourceOffering == null) {
+            throw new InvalidParameterValueException("Unable to find network offering with id " + sourceOfferingId);
+        }
+
+        String name = cmd.getNetworkOfferingName();
+        if (name == null || name.isEmpty()) {
+            throw new InvalidParameterValueException("Name is required when cloning a network offering");
+        }
+
+        NetworkOfferingVO existing = _networkOfferingDao.findByUniqueName(name);
+        if (existing != null) {
+            throw new InvalidParameterValueException("Network offering with name '" + name + "' already exists");
+        }
+
+        logger.info("Cloning network offering {} (id: {}) to new offering with name: {}",
+                    sourceOffering.getName(), sourceOfferingId, name);
+
+        Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap =
+                _networkModel.getNetworkOfferingServiceProvidersMap(sourceOfferingId);
+
+        validateProvider(sourceOffering, sourceServiceProviderMap, cmd.getProvider(), cmd.getNetworkMode());
+
+        applySourceOfferingValuesToCloneCmd(cmd, sourceServiceProviderMap, sourceOffering);
+
+        return createNetworkOffering(cmd);
+    }
+
+    private void validateProvider(NetworkOfferingVO sourceOffering,
+                                  Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap,
+                                  String detectedProvider, String networkMode) {
+
+        detectedProvider = getExternalNetworkProvider(detectedProvider, sourceServiceProviderMap);
+        // If this is an NSX/Netris offering, prevent network mode changes
+        if (detectedProvider != null && (detectedProvider.equals("NSX") || detectedProvider.equals("Netris"))) {
+            if (networkMode != null && sourceOffering.getNetworkMode() != null) {
+                if (!networkMode.equalsIgnoreCase(sourceOffering.getNetworkMode().toString())) {
+                    throw new InvalidParameterValueException(
+                            String.format("Cannot change network mode when cloning %s provider network offerings. " +
+                                            "Source offering has network mode '%s', but '%s' was specified. ",
+                                    detectedProvider, sourceOffering.getNetworkMode(), networkMode));
+                }
+            }
+        }
+    }
+
+    public static String getExternalNetworkProvider(String detectedProvider,
+                                             Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap) {
+        if (StringUtils.isNotEmpty(detectedProvider)) {
+            return detectedProvider;
+        }
+
+        if (sourceServiceProviderMap == null || sourceServiceProviderMap.isEmpty()) {
+            return null;
+        }
+
+        for (Set<Provider> providers : sourceServiceProviderMap.values()) {
+            if (CollectionUtils.isEmpty(providers)) {
+                continue;
+            }
+            for (Provider provider : providers) {
+                if (provider == Provider.Nsx) {
+                    return "NSX";
+                }
+                if (provider == Provider.Netris) {
+                    return "Netris";
+                }
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * Converts service provider map from internal format to API parameter format.
+     *
+     * Internal format: Map<String, List<String>> where key=serviceName, value=list of provider names
+     * API parameter format: Map where each value is a HashMap with "service" and "provider" keys
+     *
+     * Example: {"Lb": ["VirtualRouter"]} becomes {0: {"service": "Lb", "provider": "VirtualRouter"}}
+     */
+    private Map<String, Map<String, String>> convertToApiParameterFormat(Map<String, List<String>> serviceProviderMap) {
+        Map<String, Map<String, String>> apiFormatMap = new HashMap<>();
+        int index = 0;
+
+        for (Map.Entry<String, List<String>> entry : serviceProviderMap.entrySet()) {
+            String serviceName = entry.getKey();
+            List<String> providers = entry.getValue();
+
+            for (String provider : providers) {
+                Map<String, String> serviceProviderEntry = new HashMap<>();
+                serviceProviderEntry.put("service", serviceName);
+                serviceProviderEntry.put("provider", provider);
+                apiFormatMap.put(String.valueOf(index), serviceProviderEntry);
+                index++;
+            }
+        }
+
+        return apiFormatMap;
+    }
+
+    private void applySourceOfferingValuesToCloneCmd(CloneNetworkOfferingCmd cmd,
+                                                     Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap,
+                                                     NetworkOfferingVO sourceOffering) {
+        Long sourceOfferingId = sourceOffering.getId();
+
+        // Build final services list with add/drop support
+        List<String> finalServices = resolveFinalServicesList(cmd, sourceServiceProviderMap);
+
+        Map<String, List<String>> finalServiceProviderMap = resolveServiceProviderMap(cmd, sourceServiceProviderMap, finalServices);
+
+        Map<String, Map<String, String>> sourceServiceCapabilityList = reconstructNetworkServiceCapabilityList(sourceOffering);
+
+        Map<String, String> sourceDetailsMap = getSourceOfferingDetails(sourceOfferingId);
+
+        List<Long> sourceDomainIds = networkOfferingDetailsDao.findDomainIds(sourceOfferingId);
+        List<Long> sourceZoneIds = networkOfferingDetailsDao.findZoneIds(sourceOfferingId);
+
+        applyResolvedValuesToCommand(cmd, sourceOffering, finalServices, finalServiceProviderMap,
+            sourceServiceCapabilityList, sourceDetailsMap, sourceDomainIds, sourceZoneIds);
+    }
+
+    private Map<String, String> getSourceOfferingDetails(Long sourceOfferingId) {
+        List<NetworkOfferingDetailsVO> sourceDetailsVOs = networkOfferingDetailsDao.listDetails(sourceOfferingId);
+        Map<String, String> sourceDetailsMap = new HashMap<>();
+        for (NetworkOfferingDetailsVO detailVO : sourceDetailsVOs) {
+            sourceDetailsMap.put(detailVO.getName(), detailVO.getValue());
+        }
+        return sourceDetailsMap;
+    }
+
+    private List<String> resolveFinalServicesList(CloneNetworkOfferingCmd cmd,
+            Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap) {
+
+        List<String> cmdServices = cmd.getSupportedServices();
+        List<String> addServices = cmd.getAddServices();
+        List<String> dropServices = cmd.getDropServices();
+
+        if (cmdServices != null && !cmdServices.isEmpty()) {
+            return cmdServices;
+        }
+
+        List<String> finalServices = new ArrayList<>();
+        for (Network.Service service : sourceServiceProviderMap.keySet()) {
+            if (service != Network.Service.Gateway) {
+                finalServices.add(service.getName());
+            }
+        }
+
+        if (dropServices != null && !dropServices.isEmpty()) {
+            List<String> normalizedDropServices = new ArrayList<>();
+            for (String serviceName : dropServices) {
+                Network.Service service = Network.Service.getService(serviceName);
+                if (service == null) {
+                    throw new InvalidParameterValueException("Invalid service name in dropServices: " + serviceName);
+                }
+                normalizedDropServices.add(service.getName());
+            }
+            finalServices.removeAll(normalizedDropServices);
+            logger.debug("Dropped services from clone: {}", normalizedDropServices);
+        }
+
+        if (addServices != null && !addServices.isEmpty()) {
+            List<String> normalizedAddServices = new ArrayList<>();
+            for (String serviceName : addServices) {
+                Network.Service service = Network.Service.getService(serviceName);
+                if (service == null) {
+                    throw new InvalidParameterValueException("Invalid service name in addServices: " + serviceName);
+                }
+                String canonicalName = service.getName();
+                if (!finalServices.contains(canonicalName)) {
+                    finalServices.add(canonicalName);
+                    normalizedAddServices.add(canonicalName);
+                }
+            }
+            logger.debug("Added services to clone: {}", normalizedAddServices);
+        }
+
+        return finalServices;
+    }
+
+    private Map<String, List<String>> resolveServiceProviderMap(CloneNetworkOfferingCmd cmd,
+            Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap, List<String> finalServices) {
+
+        if (cmd.getServiceProviders() != null && !cmd.getServiceProviders().isEmpty()) {
+            return cmd.getServiceProviders();
+        }
+
+        Map<String, List<String>> finalMap = new HashMap<>();
+        for (Map.Entry<Network.Service, Set<Network.Provider>> entry : sourceServiceProviderMap.entrySet()) {
+            String serviceName = entry.getKey().getName();
+            if (finalServices.contains(serviceName)) {
+                List<String> providers = new ArrayList<>();
+                for (Network.Provider provider : entry.getValue()) {
+                    providers.add(provider.getName());
+                }
+                finalMap.put(serviceName, providers);
+            }
+        }
+
+        return finalMap;
+    }
+
+    private void applyResolvedValuesToCommand(CloneNetworkOfferingCmd cmd, NetworkOfferingVO sourceOffering,
+            List<String> finalServices, Map<String, List<String>> finalServiceProviderMap, Map<String, Map<String, String>> sourceServiceCapabilityList,
+            Map<String, String> sourceDetailsMap, List<Long> sourceDomainIds, List<Long> sourceZoneIds) {
+
+        try {
+            Map<String, String> requestParams = cmd.getFullUrlParams();
+
+            if (cmd.getSupportedServices() == null || cmd.getSupportedServices().isEmpty()) {
+                setField(cmd, "supportedServices", finalServices);
+            }
+            if (cmd.getServiceProviders() == null || cmd.getServiceProviders().isEmpty()) {
+                Map<String, Map<String, String>> apiFormatMap = convertToApiParameterFormat(finalServiceProviderMap);
+                setField(cmd, "serviceProviderList", apiFormatMap);
+            }
+
+            boolean hasCapabilityParams = requestParams.keySet().stream()
+                .anyMatch(key -> key.startsWith(ApiConstants.SERVICE_CAPABILITY_LIST));
+
+            if (!hasCapabilityParams && sourceServiceCapabilityList != null && !sourceServiceCapabilityList.isEmpty()) {
+                // Filter capabilities to only include those for services in the final service list
+                // This ensures that if services are dropped, their capabilities are also removed
+                Map<String, Map<String, String>> filteredCapabilities = new HashMap<>();
+                for (Map.Entry<String, Map<String, String>> entry : sourceServiceCapabilityList.entrySet()) {
+                    Map<String, String> capabilityMap = entry.getValue();
+                    String serviceName = capabilityMap.get("service");
+                    if (serviceName != null && finalServices.contains(serviceName)) {
+                        filteredCapabilities.put(entry.getKey(), capabilityMap);
+                    }
+                }
+
+                if (!filteredCapabilities.isEmpty()) {
+                    setField(cmd, "serviceCapabilitiesList", filteredCapabilities);
+                }
+            }
+
+            applyIfNotProvided(cmd, requestParams, "displayText", ApiConstants.DISPLAY_TEXT, cmd.getDisplayText(), sourceOffering.getDisplayText());
+            applyIfNotProvided(cmd, requestParams, "traffictype", ApiConstants.TRAFFIC_TYPE, cmd.getTraffictype(), sourceOffering.getTrafficType().toString());
+            applyIfNotProvided(cmd, requestParams, "tags", ApiConstants.TAGS, cmd.getTags(), sourceOffering.getTags());
+            applyIfNotProvided(cmd, requestParams, "availability", ApiConstants.AVAILABILITY, cmd.getAvailability(), Availability.Optional.toString());
+            applyIfNotProvided(cmd, requestParams, "networkRate", ApiConstants.NETWORKRATE, cmd.getNetworkRate(), sourceOffering.getRateMbps());
+            applyIfNotProvided(cmd, requestParams, "serviceOfferingId", ApiConstants.SERVICE_OFFERING_ID, cmd.getServiceOfferingId(), sourceOffering.getServiceOfferingId());
+            applyIfNotProvided(cmd, requestParams, "guestIptype", ApiConstants.GUEST_IP_TYPE, cmd.getGuestIpType(), sourceOffering.getGuestType().toString());
+            applyIfNotProvided(cmd, requestParams, "maxConnections", ApiConstants.MAX_CONNECTIONS, cmd.getMaxconnections(), sourceOffering.getConcurrentConnections());
+
+            applyBooleanIfNotProvided(cmd, requestParams, "specifyVlan", ApiConstants.SPECIFY_VLAN, sourceOffering.isSpecifyVlan());
+            applyBooleanIfNotProvided(cmd, requestParams, "conserveMode", ApiConstants.CONSERVE_MODE, sourceOffering.isConserveMode());
+            applyBooleanIfNotProvided(cmd, requestParams, "specifyIpRanges", ApiConstants.SPECIFY_IP_RANGES, sourceOffering.isSpecifyIpRanges());
+            applyBooleanIfNotProvided(cmd, requestParams, "isPersistent", ApiConstants.IS_PERSISTENT, sourceOffering.isPersistent());
+            applyBooleanIfNotProvided(cmd, requestParams, "forVpc", ApiConstants.FOR_VPC, sourceOffering.isForVpc());
+            applyBooleanIfNotProvided(cmd, requestParams, "egressDefaultPolicy", ApiConstants.EGRESS_DEFAULT_POLICY, sourceOffering.isEgressDefaultPolicy());
+            applyBooleanIfNotProvided(cmd, requestParams, "keepAliveEnabled", ApiConstants.KEEPALIVE_ENABLED, sourceOffering.isKeepAliveEnabled());
+            applyBooleanIfNotProvided(cmd, requestParams, "enable", ApiConstants.ENABLE, sourceOffering.getState() == NetworkOffering.State.Enabled);
+            applyBooleanIfNotProvided(cmd, requestParams, "specifyAsNumber", ApiConstants.SPECIFY_AS_NUMBER, sourceOffering.isSpecifyAsNumber());
+
+            if (!requestParams.containsKey(ApiConstants.INTERNET_PROTOCOL)) {
+                String internetProtocol = networkOfferingDetailsDao.getDetail(sourceOffering.getId(), Detail.internetProtocol);
+                if (internetProtocol != null) {
+                    setField(cmd, "internetProtocol", internetProtocol);
+                }
+            }
+
+            if (!requestParams.containsKey(ApiConstants.NETWORK_MODE) && sourceOffering.getNetworkMode() != null) {
+                setField(cmd, "networkMode", sourceOffering.getNetworkMode().toString());
+            }
+
+            if (!requestParams.containsKey(ApiConstants.ROUTING_MODE) && sourceOffering.getRoutingMode() != null) {
+                setField(cmd, "routingMode", sourceOffering.getRoutingMode().toString());
+            }
+
+            if (cmd.getDetails() == null || cmd.getDetails().isEmpty()) {
+                if (!sourceDetailsMap.isEmpty()) {
+                    setField(cmd, "details", sourceDetailsMap);
+                }
+            }
+
+            if (cmd.getDomainIds() == null || cmd.getDomainIds().isEmpty()) {
+                if (sourceDomainIds != null && !sourceDomainIds.isEmpty()) {
+                    setField(cmd, "domainIds", sourceDomainIds);
+                }
+            }
+            if (cmd.getZoneIds() == null || cmd.getZoneIds().isEmpty()) {
+                if (sourceZoneIds != null && !sourceZoneIds.isEmpty()) {
+                    setField(cmd, "zoneIds", sourceZoneIds);
+                }
+            }
+
+        } catch (Exception e) {
+            logger.warn("Failed to apply some source offering parameters during clone: {}", e.getMessage());
+        }
+    }
+
+    /**
+     * Reconstructs the service capability list from the source network offering's stored capability flags.
+     * These capabilities were originally passed during creation and stored as boolean flags in the offering.
+     *
+     * Returns a Map in the format expected by CreateNetworkOfferingCmd.serviceCapabilitystList:
+     * Map where each value is a HashMap with keys: "service", "capabilitytype", "capabilityvalue"
+     */
+    private Map<String, Map<String, String>> reconstructNetworkServiceCapabilityList(NetworkOfferingVO sourceOffering) {
+        Map<String, Map<String, String>> capabilityList = new HashMap<>();
+        int index = 0;
+
+        if (sourceOffering.isDedicatedLB()) {
+            Map<String, String> cap = new HashMap<>();
+            cap.put("service", Network.Service.Lb.getName());
+            cap.put("capabilitytype", Network.Capability.SupportedLBIsolation.getName());
+            cap.put("capabilityvalue", "dedicated");
+            capabilityList.put(String.valueOf(index++), cap);
+        }
+        if (sourceOffering.isElasticLb()) {
+            Map<String, String> cap = new HashMap<>();
+            cap.put("service", Network.Service.Lb.getName());
+            cap.put("capabilitytype", Network.Capability.ElasticLb.getName());
+            cap.put("capabilityvalue", "true");
+            capabilityList.put(String.valueOf(index++), cap);
+        }
+        if (sourceOffering.isInline()) {
+            Map<String, String> cap = new HashMap<>();
+            cap.put("service", Network.Service.Lb.getName());
+            cap.put("capabilitytype", Network.Capability.InlineMode.getName());
+            cap.put("capabilityvalue", "true");
+            capabilityList.put(String.valueOf(index++), cap);
+        }
+        if (sourceOffering.isPublicLb() || sourceOffering.isInternalLb()) {
+            List<String> schemes = new ArrayList<>();
+            if (sourceOffering.isPublicLb()) schemes.add("public");
+            if (sourceOffering.isInternalLb()) schemes.add("internal");
+            Map<String, String> cap = new HashMap<>();
+            cap.put("service", Network.Service.Lb.getName());
+            cap.put("capabilitytype", Network.Capability.LbSchemes.getName());
+            cap.put("capabilityvalue", String.join(",", schemes));
+            capabilityList.put(String.valueOf(index++), cap);
+        }
+        if (sourceOffering.isSupportsVmAutoScaling()) {
+            Map<String, String> cap = new HashMap<>();
+            cap.put("service", Network.Service.Lb.getName());
+            cap.put("capabilitytype", Network.Capability.VmAutoScaling.getName());
+            cap.put("capabilityvalue", "true");
+            capabilityList.put(String.valueOf(index++), cap);
+        }
+
+        if (sourceOffering.isSharedSourceNat()) {
+            Map<String, String> cap = new HashMap<>();
+            cap.put("service", Network.Service.SourceNat.getName());
+            cap.put("capabilitytype", Network.Capability.SupportedSourceNatTypes.getName());
+            cap.put("capabilityvalue", "perzone");
+            capabilityList.put(String.valueOf(index++), cap);
+        }
+
+        if (sourceOffering.isRedundantRouter()) {
+            Map<String, String> cap1 = new HashMap<>();
+            cap1.put("service", Network.Service.SourceNat.getName());
+            cap1.put("capabilitytype", Network.Capability.RedundantRouter.getName());
+            cap1.put("capabilityvalue", "true");
+            capabilityList.put(String.valueOf(index++), cap1);
+
+            Map<String, String> cap2 = new HashMap<>();
+            cap2.put("service", Network.Service.Gateway.getName());
+            cap2.put("capabilitytype", Network.Capability.RedundantRouter.getName());
+            cap2.put("capabilityvalue", "true");
+            capabilityList.put(String.valueOf(index++), cap2);
+        }
+
+        if (sourceOffering.isElasticIp()) {
+            Map<String, String> cap = new HashMap<>();
+            cap.put("service", Network.Service.StaticNat.getName());
+            cap.put("capabilitytype", Network.Capability.ElasticIp.getName());
+            cap.put("capabilityvalue", "true");
+            capabilityList.put(String.valueOf(index++), cap);
+        }
+
+        if (sourceOffering.isElasticIp() && sourceOffering.isAssociatePublicIP()) {
+            Map<String, String> cap = new HashMap<>();
+            cap.put("service", Network.Service.StaticNat.getName());
+            cap.put("capabilitytype", Network.Capability.AssociatePublicIP.getName());
+            cap.put("capabilityvalue", "true");
+            capabilityList.put(String.valueOf(index++), cap);
+        }
+
+        return capabilityList;
+    }
+
+    public static void applyIfNotProvided(Object cmd, Map<String, String> requestParams, String fieldName,
+            String apiConstant, Object currentValue, Object sourceValue) throws Exception {
+        if ((requestParams == null || !requestParams.containsKey(apiConstant)) && sourceValue != null) {
+            setField(cmd, fieldName, sourceValue);
+        }
+    }
+
+    public static void applyBooleanIfNotProvided(Object cmd, Map<String, String> requestParams,
+            String fieldName, String apiConstant, Boolean sourceValue) throws Exception {
+        if ((requestParams == null || !requestParams.containsKey(apiConstant)) && sourceValue != null) {
+            setField(cmd, fieldName, sourceValue);
+        }
+    }
+
+    public static void setField(Object obj, String fieldName, Object value) throws Exception {
+        Field field = findField(obj.getClass(), fieldName);
+        if (field == null) {
+            throw new NoSuchFieldException("Field '" + fieldName + "' not found in class hierarchy of " + obj.getClass().getName());
+        }
+        field.setAccessible(true);
+        field.set(obj, value);
+    }
+
+    public static Field findField(Class<?> clazz, String fieldName) {
+        Class<?> currentClass = clazz;
+        while (currentClass != null) {
+            try {
+                return currentClass.getDeclaredField(fieldName);
+            } catch (NoSuchFieldException e) {
+                currentClass = currentClass.getSuperclass();
+            }
+        }
+        return null;
+    }
+
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_NETWORK_OFFERING_EDIT, eventDescription = "updating network offering")
     public NetworkOffering updateNetworkOffering(final UpdateNetworkOfferingCmd cmd) {
diff --git a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
index 20ca189994e..7f41a1a106c 100644
--- a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java
@@ -1543,6 +1543,14 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
         return ipaddr;
     }
 
+    protected IPAddressVO getExistingSourceNatInVPC(Long vpcId) {
+        List<IPAddressVO> ips = _ipAddressDao.listByAssociatedVpc(vpcId, true);
+        if (CollectionUtils.isEmpty(ips)) {
+            return null;
+        }
+        return ips.get(0);
+    }
+
     protected IPAddressVO getExistingSourceNatInNetwork(long ownerId, Long networkId) {
         List<? extends IpAddress> addrs;
         Network guestNetwork = _networksDao.findById(networkId);
@@ -1723,7 +1731,11 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
         NetworkOffering offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
         boolean sharedSourceNat = offering.isSharedSourceNat();
         boolean isSourceNat = false;
-        if (!sharedSourceNat) {
+        if (network.getVpcId() != null) {
+            // For VPCs: Check if the VPC Source NAT IP address is the same we are associating
+            IPAddressVO vpcSourceNatIpAddress = getExistingSourceNatInVPC(network.getVpcId());
+            isSourceNat = vpcSourceNatIpAddress != null && vpcSourceNatIpAddress.getId() == ipToAssoc.getId();
+        } else if (!sharedSourceNat) {
             if (getExistingSourceNatInNetwork(owner.getId(), network.getId()) == null) {
                 if (network.getGuestType() == GuestType.Isolated && network.getVpcId() == null && !ipToAssoc.isPortable()) {
                     isSourceNat = true;
@@ -2647,4 +2659,31 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
         });
     }
 
+    @Override
+    public Long getPreferredNetworkIdForPublicIpRuleAssignment(IpAddress ip, Long networkId) {
+        boolean vpcConserveMode = isPublicIpOnVpcConserveMode(ip);
+        return getPreferredNetworkIdForRule(ip, vpcConserveMode, networkId);
+    }
+
+    protected Long getPreferredNetworkIdForRule(IpAddress ip, boolean vpcConserveModeEnabled, Long networkId) {
+        if (vpcConserveModeEnabled) {
+            // Since VPC Conserve mode allows rules from multiple VPC tiers, always check the networkId parameter first
+            return networkId != null ? networkId : ip.getAssociatedWithNetworkId();
+        } else {
+            // In case of Guest Networks or VPC Tier Networks VPC Conserve mode disabled prefer the associated networkId
+            return ip.getAssociatedWithNetworkId() != null ? ip.getAssociatedWithNetworkId() : networkId;
+        }
+    }
+
+    protected boolean isPublicIpOnVpcConserveMode(IpAddress ip) {
+        if (ip.getVpcId() == null) {
+            return false;
+        }
+        Vpc vpc =  _vpcMgr.getActiveVpc(ip.getVpcId());
+        if (vpc == null) {
+            return false;
+        }
+        VpcOffering vpcOffering = vpcOfferingDao.findById(vpc.getVpcOfferingId());
+        return vpcOffering != null && vpcOffering.isConserveMode();
+    }
 }
diff --git a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
index dea8a7ec83e..0a2e679b723 100644
--- a/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/main/java/com/cloud/network/NetworkServiceImpl.java
@@ -280,6 +280,9 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService, C
     private static final ConfigKey<Boolean> AllowEmptyStartEndIpAddress = new ConfigKey<>("Advanced", Boolean.class,
             "allow.empty.start.end.ipaddress", "true", "Allow creating network without mentioning start and end IP address",
             true, ConfigKey.Scope.Account);
+    public static final ConfigKey<Boolean> AllowUsersToMakeNetworksRedundant = new ConfigKey<>("Advanced", Boolean.class,
+            "allow.users.to.make.networks.redundant", "true", "Allow Users to make Networks Redundant",
+            true, ConfigKey.Scope.Global);
     private static final long MIN_VLAN_ID = 0L;
     private static final long MAX_VLAN_ID = 4095L; // 2^12 - 1
     private static final long MIN_GRE_KEY = 0L;
@@ -2998,8 +3001,12 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService, C
             throwInvalidIdException("Cannot restart a VPC tier with cleanup, please restart the whole VPC.", network.getUuid(), "network tier");
         }
         boolean makeRedundant = cmd.getMakeRedundant();
-        boolean livePatch = cmd.getLivePatch();
         User callerUser = _accountMgr.getActiveUser(CallContext.current().getCallingUserId());
+        if (makeRedundant && !_accountMgr.isRootAdmin(callerUser.getAccountId()) && !AllowUsersToMakeNetworksRedundant.value() ) {
+            throw new InvalidParameterValueException("Could not make the network redundant. Please contact administrator.");
+        }
+
+        boolean livePatch = cmd.getLivePatch();
         return restartNetwork(network, cleanup, makeRedundant, livePatch, callerUser);
     }
 
@@ -6278,7 +6285,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService, C
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] {AllowDuplicateNetworkName, AllowEmptyStartEndIpAddress, VRPrivateInterfaceMtu, VRPublicInterfaceMtu, AllowUsersToSpecifyVRMtu};
+        return new ConfigKey<?>[] {AllowDuplicateNetworkName, AllowEmptyStartEndIpAddress, AllowUsersToMakeNetworksRedundant, VRPrivateInterfaceMtu, VRPublicInterfaceMtu, AllowUsersToSpecifyVRMtu};
     }
 
     public boolean isDefaultAcl(Long aclId) {
@@ -6427,6 +6434,11 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService, C
         return Networks.BroadcastDomainType.getValue(nic.getBroadcastUri());
     }
 
+    @Override
+    public Long getPreferredNetworkIdForPublicIpRuleAssignment(IpAddress ip, Long networkId) {
+        return _ipAddrMgr.getPreferredNetworkIdForPublicIpRuleAssignment(ip, networkId);
+    }
+
     @Override
     public Network.IpAddresses getIpAddressesFromIps(String ipAddress, String ip6Address, String macAddress) {
         if (ip6Address != null) {
diff --git a/server/src/main/java/com/cloud/network/as/AutoScaleManagerImpl.java b/server/src/main/java/com/cloud/network/as/AutoScaleManagerImpl.java
index 4e07611ff71..805ac4aed86 100644
--- a/server/src/main/java/com/cloud/network/as/AutoScaleManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/as/AutoScaleManagerImpl.java
@@ -38,6 +38,8 @@ import java.util.concurrent.TimeUnit;
 
 import javax.inject.Inject;
 
+import com.cloud.network.NetworkModel;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.affinity.AffinityGroupVO;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
@@ -112,7 +114,6 @@ import com.cloud.hypervisor.Hypervisor.HypervisorType;
 import com.cloud.network.Network;
 import com.cloud.network.Network.Capability;
 import com.cloud.network.Network.IpAddresses;
-import com.cloud.network.NetworkModel;
 import com.cloud.network.as.AutoScaleCounter.AutoScaleCounterParam;
 import com.cloud.network.as.dao.AutoScalePolicyConditionMapDao;
 import com.cloud.network.as.dao.AutoScalePolicyDao;
@@ -518,15 +519,10 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScaleManage
             throw new InvalidParameterValueException("AutoScale User id does not belong to the same account");
         }
 
-        String apiKey = user.getApiKey();
-        String secretKey = user.getSecretKey();
+        ApiKeyPairVO latestKeypair = ApiDBUtils.searchForLatestUserKeyPair(user.getId());
 
-        if (apiKey == null) {
-            throw new InvalidParameterValueException("apiKey for user: " + user.getUsername() + " is empty. Please generate it");
-        }
-
-        if (secretKey == null) {
-            throw new InvalidParameterValueException("secretKey for user: " + user.getUsername() + " is empty. Please generate it");
+        if (latestKeypair == null) {
+            throw new InvalidParameterValueException(String.format("No API keypair for user [%s]. Please generate it.", user.getUsername()));
         }
 
         ApiServiceConfiguration.validateEndpointUrl();
@@ -2055,7 +2051,7 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScaleManage
         }
         lstVmId.add(new Long(vmId));
         try {
-            return loadBalancingRulesService.assignToLoadBalancer(lbId, lstVmId, new HashMap<>(), true);
+            return loadBalancingRulesService.assignToLoadBalancer(lbId, lstVmId, new HashMap<>(), null, true);
         } catch (CloudRuntimeException ex) {
             logger.warn("Caught exception: ", ex);
             return false;
diff --git a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
index 00863c28dd2..779d26d51f1 100644
--- a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -30,6 +30,8 @@ import java.util.Set;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.network.vpc.Vpc;
+import com.cloud.network.vpc.dao.VpcOfferingDao;
 import org.apache.commons.lang3.ObjectUtils;
 import org.springframework.stereotype.Component;
 
@@ -159,6 +161,8 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
     IpAddressManager _ipAddrMgr;
     @Inject
     RoutedIpv4Manager routedIpv4Manager;
+    @Inject
+    VpcOfferingDao vpcOfferingDao;
 
     private boolean _elbEnabled = false;
     static Boolean rulesContinueOnErrFlag = true;
@@ -395,6 +399,10 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             assert (rules.size() >= 1);
         }
 
+        NetworkVO newRuleNetwork = getNewRuleNetwork(newRule);
+        boolean newRuleIsOnVpcNetwork = newRuleNetwork.getVpcId() != null;
+        boolean vpcConserveModeEnabled = _vpcMgr.isNetworkOnVpcEnabledConserveMode(newRuleNetwork);
+
         for (FirewallRuleVO rule : rules) {
             if (rule.getId() == newRule.getId()) {
                 continue; // Skips my own rule.
@@ -443,8 +451,15 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
             }
 
             // Checking if the rule applied is to the same network that is passed in the rule.
-            if (rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
-                throw new NetworkRuleConflictException("New rule is for a different network than what's specified in rule " + rule.getXid());
+            // (except for VPCs with conserve mode = true)
+            if ((!newRuleIsOnVpcNetwork || !vpcConserveModeEnabled)
+                    && rule.getNetworkId() != newRule.getNetworkId() && rule.getState() != State.Revoke) {
+                String errMsg = String.format("New rule is for a different network than what's specified in rule %s", rule.getXid());
+                if (newRuleIsOnVpcNetwork) {
+                    Vpc vpc = _vpcMgr.getActiveVpc(newRuleNetwork.getVpcId());
+                    errMsg += String.format(" - VPC id=%s is not using conserve mode", vpc.getUuid());
+                }
+                throw new NetworkRuleConflictException(errMsg);
             }
 
             //Check for the ICMP protocol. This has to be done separately from other protocols as we need to check the ICMP codes and ICMP type also.
@@ -493,6 +508,14 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
         }
     }
 
+    protected NetworkVO getNewRuleNetwork(FirewallRule newRule) {
+        NetworkVO newRuleNetwork = _networkDao.findById(newRule.getNetworkId());
+        if (newRuleNetwork == null) {
+            throw new InvalidParameterValueException("Unable to create firewall rule as cannot find network by id=" + newRule.getNetworkId());
+        }
+        return newRuleNetwork;
+    }
+
     protected boolean checkIfRulesHaveConflictingPortRanges(FirewallRule newRule, FirewallRule rule, boolean oneOfRulesIsFirewall, boolean bothRulesFirewall, boolean bothRulesPortForwarding, boolean duplicatedCidrs) {
         String rulesAsString = String.format("[%s] and [%s]", rule, newRule);
 
diff --git a/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index ffa22e2fb51..5f00261f329 100644
--- a/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -16,6 +16,7 @@
 // under the License.
 package com.cloud.network.lb;
 
+import com.cloud.api.ApiDBUtils;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -31,6 +32,7 @@ import javax.inject.Inject;
 
 import com.cloud.offerings.NetworkOfferingServiceMapVO;
 import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -51,6 +53,8 @@ import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO;
 import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections4.MapUtils;
+import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 
 import com.cloud.agent.api.to.LoadBalancerTO;
@@ -347,15 +351,15 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             if (user == null) {
                 throw new InvalidParameterValueException("Unable to find user by id " + autoscaleUserId);
             }
-            apiKey = user.getApiKey();
-            secretKey = user.getSecretKey();
-            if (apiKey == null) {
-                throw new InvalidParameterValueException("apiKey for user: " + user.getUsername() + " is empty. Please generate it");
+
+            ApiKeyPairVO latestKeypair = ApiDBUtils.searchForLatestUserKeyPair(user.getId());
+
+            if (latestKeypair == null) {
+                throw new InvalidParameterValueException(String.format("No API keypair for user [%s]. Please generate it.", user.getUsername()));
             }
 
-            if (secretKey == null) {
-                throw new InvalidParameterValueException("secretKey for user: " + user.getUsername() + " is empty. Please generate it");
-            }
+            apiKey = latestKeypair.getApiKey();
+            secretKey = latestKeypair.getSecretKey();
 
             ApiServiceConfiguration.validateEndpointUrl();
         }
@@ -1016,7 +1020,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
     @Override
     @DB
     @ActionEvent(eventType = EventTypes.EVENT_ASSIGN_TO_LOAD_BALANCER_RULE, eventDescription = "assigning to load balancer", async = true)
-    public boolean assignToLoadBalancer(long loadBalancerId, List<Long> instanceIds, Map<Long, List<String>> vmIdIpMap, boolean isAutoScaleVM) {
+    public boolean assignToLoadBalancer(long loadBalancerId, List<Long> instanceIds, Map<Long, List<String>> vmIdIpMap, Map<Long, Long> vmIdNetworkMap, boolean isAutoScaleVM) {
         CallContext ctx = CallContext.current();
         Account caller = ctx.getCallingAccount();
 
@@ -1089,28 +1093,12 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             _rulesMgr.checkRuleAndUserVm(loadBalancer, vm, caller);
 
             Account vmOwner = _accountDao.findById(vm.getAccountId());
-            Network network = _networkDao.findById(loadBalancer.getNetworkId());
-            _accountMgr.checkAccess(vmOwner, SecurityChecker.AccessType.UseEntry, false, network);
+            Network loadBalancerNetwork = _networkDao.findById(loadBalancer.getNetworkId());
+            _accountMgr.checkAccess(vmOwner, SecurityChecker.AccessType.UseEntry, false, loadBalancerNetwork);
 
-            // Let's check to make sure the vm has a nic in the same network as
-            // the load balancing rule.
-            List<? extends Nic> nics = _networkModel.getNics(vm.getId());
-            Nic nicInSameNetwork = null;
-            for (Nic nic : nics) {
-                if (nic.getNetworkId() == loadBalancer.getNetworkId()) {
-                    nicInSameNetwork = nic;
-                    break;
-                }
-            }
+            Nic vmNicInLb = getVmNicInLoadBalancer(vm, loadBalancer, loadBalancerNetwork, vmIdNetworkMap, vmOwner);
 
-            if (nicInSameNetwork == null) {
-                InvalidParameterValueException ex =
-                        new InvalidParameterValueException("VM with id specified cannot be added because it doesn't belong in the same network.");
-                ex.addProxyObject(vm.getUuid(), "instanceId");
-                throw ex;
-            }
-
-            String priIp = nicInSameNetwork.getIPv4Address();
+            String priIp = vmNicInLb.getIPv4Address();
 
             if (existingVmIdIps.containsKey(instanceId)) {
                 // now check for ip address
@@ -1140,9 +1128,9 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
                     if (ip.equals(priIp)) {
                         continue;
                     }
-                    if(_nicSecondaryIpDao.findByIp4AddressAndNicId(ip,nicInSameNetwork.getId()) == null) {
+                    if(_nicSecondaryIpDao.findByIp4AddressAndNicId(ip,vmNicInLb.getId()) == null) {
                         throw new InvalidParameterValueException("Instance IP "+ ip + " specified does not belong to " +
-                                "NIC in Network " + nicInSameNetwork.getNetworkId());
+                                "NIC in Network " + vmNicInLb.getNetworkId());
                     }
                 }
             } else {
@@ -1232,6 +1220,63 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
         return success;
     }
 
+    protected Nic getVmNicInLoadBalancer(UserVm vm, LoadBalancerVO loadBalancer, Network loadBalancerNetwork, Map<Long, Long> vmIdNetworkMap, Account vmOwner) {
+        boolean isVpcConserveModeEnabled = _vpcMgr.isNetworkOnVpcEnabledConserveMode(loadBalancerNetwork);
+
+        boolean isNetworkPassedVpcConserveMode = isVpcConserveModeEnabled && MapUtils.isNotEmpty(vmIdNetworkMap) && vmIdNetworkMap.containsKey(vm.getId());
+        Nic vmNicInLb = isNetworkPassedVpcConserveMode ?
+                getNicForVmInVpcConserveModeTierNetwork(vm, vmIdNetworkMap, vmOwner, loadBalancerNetwork) :
+                getNicForVmLbNetwork(vm, loadBalancer);
+
+        if (vmNicInLb == null) {
+            String msg = !isVpcConserveModeEnabled ?
+                    "VM with id specified cannot be added because it doesn't belong in the same network." :
+                    "VM with id specified cannot be added to the load balancing rule for VPC Conserve Mode.";
+            InvalidParameterValueException ex = new InvalidParameterValueException(msg);
+            ex.addProxyObject(vm.getUuid(), "instanceId");
+            throw ex;
+        }
+        return vmNicInLb;
+    }
+
+    /**
+     * For Isolated Networks or Network tiers of VPCs not using Conserve mode, use the same network as the load balancer
+     * @return the nic of the VM in the load balancer network
+     */
+    protected Nic getNicForVmLbNetwork(UserVm vm, LoadBalancerVO loadBalancer) {
+        List<? extends Nic> nics = _networkModel.getNics(vm.getId());
+        for (Nic nic : nics) {
+            if (nic.getNetworkId() == loadBalancer.getNetworkId()) {
+                return nic;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * On VPC Conserve Mode, VMs from multiple VPC networks tiers can be assigned to the same load balancer.
+     * @return the nic of the VM in the specified tier network in `vmIdNetworkMap`
+     */
+    protected Nic getNicForVmInVpcConserveModeTierNetwork(UserVm vm, Map<Long, Long> vmIdNetworkMap, Account vmOwner, Network loadBalancerNetwork) {
+        Long vmNetworkId = vmIdNetworkMap.get(vm.getId());
+        Network vmNetwork = _networkDao.findById(vmNetworkId);
+        _accountMgr.checkAccess(vmOwner, SecurityChecker.AccessType.UseEntry, false, vmNetwork);
+        checkNetworkBelongsToLoadBalancerVpc(vmNetwork, loadBalancerNetwork);
+        return _networkModel.getNicInNetwork(vm.getId(), vmNetworkId);
+    }
+
+    protected void checkNetworkBelongsToLoadBalancerVpc(Network vmNetwork, Network loadBalancerNetwork) {
+        if (ObjectUtils.anyNull(vmNetwork, loadBalancerNetwork)) {
+            throw new InvalidParameterValueException("Cannot add VM to load balancer because the VM network or load balancer network is null");
+        }
+        if (ObjectUtils.anyNull(vmNetwork.getVpcId(), loadBalancerNetwork.getVpcId())) {
+            throw new InvalidParameterValueException("Cannot add VM to load balancer because the VM network or load balancer network are not part of a VPC");
+        }
+        if (!vmNetwork.getVpcId().equals(loadBalancerNetwork.getVpcId())) {
+            throw new InvalidParameterValueException("Cannot add VM to load balancer because the VM network and load balancer network are not part of the same VPC");
+        }
+    }
+
     @Override
     public boolean assignSSLCertToLoadBalancerRule(Long lbId, String certName, String publicCert, String privateKey) {
         logger.error("Calling the manager for LB");
@@ -1738,6 +1783,8 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             throw new NetworkRuleConflictException("Can't do load balance on IP address: " + ipVO.getAddress());
         }
 
+        verifyLoadBalancerRuleNetwork(name, network, ipVO);
+
         String cidrString = generateCidrString(cidrList);
 
         boolean performedIpAssoc = false;
@@ -1761,7 +1808,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
             }
 
             result = createPublicLoadBalancer(xId, name, description, srcPortStart, defPortStart, ipVO.getId(), protocol, algorithm, openFirewall, CallContext.current(),
-                    lbProtocol, forDisplay, cidrString);
+                    lbProtocol, forDisplay, cidrString, networkId);
         } catch (Exception ex) {
             logger.warn("Failed to create load balancer due to ", ex);
             if (ex instanceof NetworkRuleConflictException) {
@@ -1790,7 +1837,18 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
 
         return result;
     }
-   /**
+
+    protected void verifyLoadBalancerRuleNetwork(String lbName, Network network, IPAddressVO ipVO) {
+        boolean isVpcConserveModeEnabled = _vpcMgr.isNetworkOnVpcEnabledConserveMode(network);
+        if (!isVpcConserveModeEnabled && ipVO.getAssociatedWithNetworkId() != null && network.getId() != ipVO.getAssociatedWithNetworkId()) {
+            String msg = String.format("Cannot create Load Balancer rule %s as the IP address %s is not associated " +
+                    "with the network %s (ID=%s)", lbName, ipVO.getAddress(), network.getName(), network.getUuid());
+            logger.error(msg);
+            throw new InvalidParameterValueException(msg);
+        }
+    }
+
+    /**
     * Transforms the cidrList from a List of Strings to a String which contains all the CIDRs from cidrList separated by whitespaces. This is used to facilitate both the persistence
     * in the DB and also later when building the configuration String in the getRulesForPool method of the HAProxyConfigurator class.
    */
@@ -1824,7 +1882,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
     @Override
     public LoadBalancer createPublicLoadBalancer(final String xId, final String name, final String description, final int srcPort, final int destPort, final long sourceIpId,
                                                  final String protocol, final String algorithm, final boolean openFirewall, final CallContext caller, final String lbProtocol,
-                                                 final Boolean forDisplay, String cidrList) throws NetworkRuleConflictException {
+                                                 final Boolean forDisplay, String cidrList, Long networkIdParam) throws NetworkRuleConflictException {
         if (!NetUtils.isValidPort(destPort)) {
             throw new InvalidParameterValueException("privatePort is an invalid value: " + destPort);
         }
@@ -1853,7 +1911,7 @@ public class LoadBalancingRulesManagerImpl<Type> extends ManagerBase implements
 
             _accountMgr.checkAccess(caller.getCallingAccount(), null, true, ipAddr);
 
-            final Long networkId = ipAddr.getAssociatedWithNetworkId();
+            final Long networkId = _ipAddrMgr.getPreferredNetworkIdForPublicIpRuleAssignment(ipAddr, networkIdParam);
             if (networkId == null) {
                 InvalidParameterValueException ex =
                         new InvalidParameterValueException("Unable to create load balancer rule ; specified sourceip id is not associated with any network");
diff --git a/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index e579eeeecd6..19a5896e425 100644
--- a/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -17,6 +17,7 @@
 
 package com.cloud.network.router;
 
+import com.cloud.api.ApiDBUtils;
 import static com.cloud.utils.NumbersUtil.toHumanReadableSize;
 import static com.cloud.vm.VirtualMachineManager.SystemVmEnableUserData;
 
@@ -51,6 +52,7 @@ import javax.naming.ConfigurationException;
 import com.google.gson.JsonSyntaxException;
 import com.google.gson.reflect.TypeToken;
 
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import org.apache.cloudstack.alert.AlertService;
 import org.apache.cloudstack.alert.AlertService.AlertType;
 import org.apache.cloudstack.api.ApiCommandResourceType;
@@ -2083,8 +2085,14 @@ Configurable, StateListener<VirtualMachine.State, VirtualMachine.Event, VirtualM
             if (user == null) {
                 logger.warn("global setting[baremetal.provision.done.notification] is enabled but user baremetal-system-account is not found. Baremetal provision done notification will not be enabled");
             } else {
-                buf.append(String.format(" baremetalnotificationsecuritykey=%s", user.getSecretKey()));
-                buf.append(String.format(" baremetalnotificationapikey=%s", user.getApiKey()));
+                ApiKeyPairVO latestKeypair = ApiDBUtils.searchForLatestUserKeyPair(user.getId());
+
+                if (latestKeypair == null) {
+                    throw new InvalidParameterValueException(String.format("No API keypair for user [%s]. Please generate it.", user.getUsername()));
+                }
+
+                buf.append(String.format(" baremetalnotificationsecuritykey=%s", latestKeypair.getSecretKey()));
+                buf.append(String.format(" baremetalnotificationapikey=%s", latestKeypair.getApiKey()));
                 buf.append(" host=").append(ApiServiceConfiguration.ManagementServerAddresses.value());
                 buf.append(" port=").append(_configDao.getValue(Config.BaremetalProvisionDoneNotificationPort.key()));
             }
diff --git a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
index 86d1fba038b..156e71e72b8 100644
--- a/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java
@@ -71,6 +71,7 @@ import org.apache.cloudstack.alert.AlertService;
 import org.apache.cloudstack.annotation.AnnotationService;
 import org.apache.cloudstack.annotation.dao.AnnotationDao;
 import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.command.admin.vpc.CloneVPCOfferingCmd;
 import org.apache.cloudstack.api.command.admin.vpc.CreatePrivateGatewayByAdminCmd;
 import org.apache.cloudstack.api.command.admin.vpc.CreateVPCCmdByAdmin;
 import org.apache.cloudstack.api.command.admin.vpc.CreateVPCOfferingCmd;
@@ -388,7 +389,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
                     }
                     createVpcOffering(VpcOffering.defaultVPCOfferingName, VpcOffering.defaultVPCOfferingName, svcProviderMap,
                             true, State.Enabled, null, false,
-                            false, false, null, null, false);
+                            false, false, null, null, false, false);
                 }
 
                 // configure default vpc offering with Netscaler as LB Provider
@@ -408,7 +409,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
                         }
                     }
                     createVpcOffering(VpcOffering.defaultVPCNSOfferingName, VpcOffering.defaultVPCNSOfferingName,
-                            svcProviderMap, false, State.Enabled, null, false, false, false, null, null, false);
+                            svcProviderMap, false, State.Enabled, null, false, false, false, null, null, false, false);
 
                 }
 
@@ -429,7 +430,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
                         }
                     }
                     createVpcOffering(VpcOffering.redundantVPCOfferingName, VpcOffering.redundantVPCOfferingName, svcProviderMap, true, State.Enabled,
-                            null, false, false, true, null, null, false);
+                            null, false, false, true, null, null, false, false);
                 }
 
                 // configure default vpc offering with NSX as network service provider in NAT mode
@@ -446,7 +447,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
                         }
                     }
                     createVpcOffering(VpcOffering.DEFAULT_VPC_NAT_NSX_OFFERING_NAME, VpcOffering.DEFAULT_VPC_NAT_NSX_OFFERING_NAME, svcProviderMap, false,
-                            State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.NATTED, null, false);
+                            State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.NATTED, null, false, false);
 
                 }
 
@@ -464,7 +465,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
                         }
                     }
                     createVpcOffering(VpcOffering.DEFAULT_VPC_ROUTE_NSX_OFFERING_NAME, VpcOffering.DEFAULT_VPC_ROUTE_NSX_OFFERING_NAME, svcProviderMap, false,
-                            State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.ROUTED, null, false);
+                            State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.ROUTED, null, false, false);
 
                 }
 
@@ -482,7 +483,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
                         }
                     }
                     createVpcOffering(VpcOffering.DEFAULT_VPC_ROUTE_NETRIS_OFFERING_NAME, VpcOffering.DEFAULT_VPC_ROUTE_NETRIS_OFFERING_NAME, svcProviderMap, false,
-                            State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.ROUTED, null, false);
+                            State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.ROUTED, null, false, false);
 
                 }
 
@@ -500,7 +501,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
                         }
                     }
                     createVpcOffering(VpcOffering.DEFAULT_VPC_NAT_NETRIS_OFFERING_NAME, VpcOffering.DEFAULT_VPC_NAT_NETRIS_OFFERING_NAME, svcProviderMap, false,
-                            State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.NATTED, null, false);
+                            State.Enabled, null, false, false, false, NetworkOffering.NetworkMode.NATTED, null, false, false);
 
                 }
             }
@@ -586,6 +587,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         }
         boolean specifyAsNumber = cmd.getSpecifyAsNumber();
         String routingModeString = cmd.getRoutingMode();
+        boolean conserveMode = cmd.isConserveMode();
 
         // check if valid domain
         if (CollectionUtils.isNotEmpty(cmd.getDomainIds())) {
@@ -624,7 +626,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
 
         return createVpcOffering(vpcOfferingName, displayText, supportedServices,
                 serviceProviderList, serviceCapabilityList, internetProtocol, serviceOfferingId, provider, networkMode,
-                domainIds, zoneIds, (enable ? State.Enabled : State.Disabled), routingMode, specifyAsNumber);
+                domainIds, zoneIds, (enable ? State.Enabled : State.Disabled), routingMode, specifyAsNumber, conserveMode);
     }
 
     @Override
@@ -632,7 +634,13 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
     public VpcOffering createVpcOffering(final String name, final String displayText, final List<String> supportedServices, final Map<String, List<String>> serviceProviders,
                                          final Map serviceCapabilityList, final NetUtils.InternetProtocol internetProtocol, final Long serviceOfferingId,
                                          final String externalProvider, final NetworkOffering.NetworkMode networkMode, List<Long> domainIds, List<Long> zoneIds, State state,
-                                         NetworkOffering.RoutingMode routingMode, boolean specifyAsNumber) {
+                                         NetworkOffering.RoutingMode routingMode, boolean specifyAsNumber, boolean conserveMode) {
+
+        boolean isExternalProvider = externalProvider != null &&
+                Arrays.asList("NSX", "Netris").stream().anyMatch(s -> s.equalsIgnoreCase(externalProvider));
+        if (!isExternalProvider && CollectionUtils.isEmpty(supportedServices)) {
+            throw new InvalidParameterValueException("Supported services needs to be provided");
+        }
 
         if (!Ipv6Service.Ipv6OfferingCreationEnabled.value() && !(internetProtocol == null || NetUtils.InternetProtocol.IPv4.equals(internetProtocol))) {
             throw new InvalidParameterValueException(String.format("Configuration %s needs to be enabled for creating IPv6 supported VPC offering", Ipv6Service.Ipv6OfferingCreationEnabled.key()));
@@ -727,7 +735,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         final boolean offersRegionLevelVPC = isVpcOfferingForRegionLevelVpc(serviceCapabilityList);
         final boolean redundantRouter = isVpcOfferingRedundantRouter(serviceCapabilityList, redundantRouterService);
         final VpcOfferingVO offering = createVpcOffering(name, displayText, svcProviderMap, false, state, serviceOfferingId, supportsDistributedRouter, offersRegionLevelVPC,
-                redundantRouter, networkMode, routingMode, specifyAsNumber);
+                redundantRouter, networkMode, routingMode, specifyAsNumber, conserveMode);
 
         if (offering != null) {
             List<VpcOfferingDetailsVO> detailsVO = new ArrayList<>();
@@ -755,7 +763,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
     @DB
     protected VpcOfferingVO createVpcOffering(final String name, final String displayText, final Map<Service, Set<Provider>> svcProviderMap,
                                               final boolean isDefault, final State state, final Long serviceOfferingId, final boolean supportsDistributedRouter, final boolean offersRegionLevelVPC,
-                                              final boolean redundantRouter, NetworkOffering.NetworkMode networkMode, NetworkOffering.RoutingMode routingMode, boolean specifyAsNumber) {
+                                              final boolean redundantRouter, NetworkOffering.NetworkMode networkMode, NetworkOffering.RoutingMode routingMode, boolean specifyAsNumber, boolean conserveMode) {
 
         return Transaction.execute(new TransactionCallback<VpcOfferingVO>() {
             @Override
@@ -771,6 +779,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
                 if (Objects.nonNull(routingMode)) {
                     offering.setRoutingMode(routingMode);
                 }
+                offering.setConserveMode(conserveMode);
 
                 logger.debug("Adding vpc offering " + offering);
                 offering = _vpcOffDao.persist(offering);
@@ -811,6 +820,349 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         }
     }
 
+    @Override
+    @ActionEvent(eventType = EventTypes.EVENT_VPC_OFFERING_CLONE, eventDescription = "cloning VPC offering")
+    public VpcOffering cloneVPCOffering(CloneVPCOfferingCmd cmd) {
+        Long sourceVpcOfferingId = cmd.getSourceOfferingId();
+
+        final VpcOffering sourceVpcOffering = _vpcOffDao.findById(sourceVpcOfferingId);
+        if (sourceVpcOffering == null) {
+            throw new InvalidParameterValueException("Unable to find source VPC offering by id " + sourceVpcOfferingId);
+        }
+
+        String name = cmd.getVpcOfferingName();
+        if (name == null || name.isEmpty()) {
+            throw new InvalidParameterValueException("Name is required when cloning a VPC offering");
+        }
+
+        VpcOfferingVO vpcOfferingVO = _vpcOffDao.findByUniqueName(name);
+        if (vpcOfferingVO != null) {
+            throw new InvalidParameterValueException(String.format("A VPC offering with name %s already exists", name));
+        }
+
+        logger.info("Cloning VPC offering {} (id: {}) to new offering with name: {}",
+                sourceVpcOffering.getName(), sourceVpcOfferingId, name);
+
+        Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap = getVpcOffSvcProvidersMap(sourceVpcOfferingId);
+        validateProvider(sourceVpcOffering, sourceServiceProviderMap, cmd.getProvider(), cmd.getNetworkMode());
+
+        applySourceOfferingValuesToCloneCmd(cmd, sourceServiceProviderMap, sourceVpcOffering);
+
+        return createVpcOffering(cmd);
+    }
+
+    private void validateProvider(VpcOffering sourceVpcOffering,
+                                  Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap,
+                                  String provider, String networkMode) {
+        provider = ConfigurationManagerImpl.getExternalNetworkProvider(provider, sourceServiceProviderMap);
+        if (provider != null && (provider.equals("NSX") || provider.equals("Netris"))) {
+            if (networkMode != null && sourceVpcOffering.getNetworkMode() != null) {
+                if (!networkMode.equalsIgnoreCase(sourceVpcOffering.getNetworkMode().toString())) {
+                    throw new InvalidParameterValueException(
+                            String.format("Cannot change network mode when cloning %s provider VPC offerings. " +
+                                            "Source offering has network mode '%s', but '%s' was specified. ",
+                                    provider, sourceVpcOffering.getNetworkMode(), networkMode));
+                }
+            }
+        }
+    }
+
+    private void applySourceOfferingValuesToCloneCmd(CloneVPCOfferingCmd cmd,
+                                                     Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap,
+                                                     VpcOffering sourceVpcOffering) {
+        Long sourceOfferingId = sourceVpcOffering.getId();
+
+        List<String> finalServices = resolveFinalServicesList(cmd, sourceServiceProviderMap);
+
+        Map finalServiceProviderMap = resolveServiceProviderMap(cmd, sourceServiceProviderMap, finalServices);
+
+        List<Long> sourceDomainIds = vpcOfferingDetailsDao.findDomainIds(sourceOfferingId);
+        List<Long> sourceZoneIds = vpcOfferingDetailsDao.findZoneIds(sourceOfferingId);
+
+        Map<String, String> sourceServiceCapabilityList = reconstructServiceCapabilityList(sourceVpcOffering);
+
+        applyResolvedValuesToCommand(cmd, (VpcOfferingVO)sourceVpcOffering, finalServices, finalServiceProviderMap,
+                sourceDomainIds, sourceZoneIds, sourceServiceCapabilityList);
+    }
+
+    /**
+     * Reconstructs the service capability list from the source VPC offering's stored capability flags.
+     * These capabilities were originally passed during creation and stored as boolean flags in the offering.
+     *
+     * Returns a Map in the format expected by CreateVPCOfferingCmd.serviceCapabilityList:
+     * Map<String, String> with keys like "0.service", "0.capabilitytype", "0.capabilityvalue"
+     */
+    private Map<String, String> reconstructServiceCapabilityList(VpcOffering sourceOffering) {
+        Map<String, String> capabilityList = new HashMap<>();
+        int index = 0;
+
+        if (sourceOffering.isOffersRegionLevelVPC()) {
+            capabilityList.put(index + ".service", Network.Service.Connectivity.getName());
+            capabilityList.put(index + ".capabilitytype", Network.Capability.RegionLevelVpc.getName());
+            capabilityList.put(index + ".capabilityvalue", "true");
+            index++;
+        }
+
+        if (sourceOffering.isSupportsDistributedRouter()) {
+            capabilityList.put(index + ".service", Network.Service.Connectivity.getName());
+            capabilityList.put(index + ".capabilitytype", Network.Capability.DistributedRouter.getName());
+            capabilityList.put(index + ".capabilityvalue", "true");
+            index++;
+        }
+
+        if (sourceOffering.isRedundantRouter()) {
+            Map<Network.Service, Set<Network.Provider>> serviceProviderMap = getVpcOffSvcProvidersMap(sourceOffering.getId());
+
+            // Check which service has VPCVirtualRouter provider - SourceNat takes precedence
+            Network.Service redundantRouterService = null;
+            for (Network.Service service : Arrays.asList(Network.Service.SourceNat, Network.Service.Gateway, Network.Service.StaticNat)) {
+                Set<Network.Provider> providers = serviceProviderMap.get(service);
+                if (providers != null && providers.contains(Network.Provider.VPCVirtualRouter)) {
+                    redundantRouterService = service;
+                    break;
+                }
+            }
+
+            if (redundantRouterService != null) {
+                capabilityList.put(index + ".service", redundantRouterService.getName());
+                capabilityList.put(index + ".capabilitytype", Network.Capability.RedundantRouter.getName());
+                capabilityList.put(index + ".capabilityvalue", "true");
+            }
+        }
+
+        return capabilityList;
+    }
+
+    private List<String> resolveFinalServicesList(CloneVPCOfferingCmd cmd,
+                                                  Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap) {
+
+        List<String> cmdServices = cmd.getSupportedServices();
+        List<String> addServices = cmd.getAddServices();
+        List<String> dropServices = cmd.getDropServices();
+
+        if (cmdServices != null && !cmdServices.isEmpty()) {
+            return cmdServices;
+        }
+
+        List<String> finalServices = new ArrayList<>();
+        for (Network.Service service : sourceServiceProviderMap.keySet()) {
+            finalServices.add(service.getName());
+        }
+
+        if (dropServices != null && !dropServices.isEmpty()) {
+            List<String> normalizedDropServices = new ArrayList<>();
+            for (String serviceName : dropServices) {
+                Network.Service service = Network.Service.getService(serviceName);
+                if (service == null) {
+                    throw new InvalidParameterValueException("Service " + serviceName + " is not supported in VPC");
+                }
+                normalizedDropServices.add(service.getName());
+            }
+            finalServices.removeAll(normalizedDropServices);
+            logger.debug("Dropped services from clone: {}", dropServices);
+        }
+
+        if (addServices != null && !addServices.isEmpty()) {
+            List<String> normalizedAddServices = new ArrayList<>();
+            for (String serviceName : addServices) {
+                Network.Service service = Network.Service.getService(serviceName);
+                if (service == null) {
+                    throw new InvalidParameterValueException("Service " + serviceName + " is not supported in VPC");
+                }
+                String canonicalName = service.getName();
+                if (!finalServices.contains(canonicalName)) {
+                    finalServices.add(canonicalName);
+                    normalizedAddServices.add(canonicalName);
+                }
+            }
+            logger.debug("Added services to clone: {}", addServices);
+        }
+
+        return finalServices;
+    }
+
+    private Map<String, List<String>> resolveServiceProviderMap(CloneVPCOfferingCmd cmd,
+                                                                Map<Network.Service, Set<Network.Provider>> sourceServiceProviderMap, List<String> finalServices) {
+
+        if (cmd.getServiceProviders() != null && !cmd.getServiceProviders().isEmpty()) {
+            return cmd.getServiceProviders();
+        }
+
+        Map<String, List<String>> finalMap = new HashMap<>();
+        for (Map.Entry<Network.Service, Set<Network.Provider>> entry : sourceServiceProviderMap.entrySet()) {
+            String serviceName = entry.getKey().getName();
+            if (finalServices.contains(serviceName)) {
+                List<String> providers = new ArrayList<>();
+                for (Network.Provider provider : entry.getValue()) {
+                    providers.add(provider.getName());
+                }
+                finalMap.put(serviceName, providers);
+            }
+        }
+
+        return finalMap;
+    }
+
+    /**
+     * Converts service provider map from Map<String, List<String>> to the indexed format
+     * expected by CreateVPCOfferingCmd.serviceProviderList parameter.
+     *
+     * Input: {"Dhcp": ["VpcVirtualRouter"], "Dns": ["VpcVirtualRouter"]}
+     * Output: {"0": {"service": "Dhcp", "provider": "VpcVirtualRouter"},
+     *          "1": {"service": "Dns", "provider": "VpcVirtualRouter"}}
+     */
+    private Map<String, Map<String, String>> convertToServiceProviderListFormat(Map<String, List<String>> serviceProviderMap) {
+        Map<String, Map<String, String>> result = new HashMap<>();
+        int index = 0;
+
+        for (Map.Entry<String, List<String>> entry : serviceProviderMap.entrySet()) {
+            String serviceName = entry.getKey();
+            List<String> providers = entry.getValue();
+
+            for (String providerName : providers) {
+                Map<String, String> serviceProviderEntry = new HashMap<>();
+                serviceProviderEntry.put("service", serviceName);
+                serviceProviderEntry.put("provider", providerName);
+                result.put(String.valueOf(index++), serviceProviderEntry);
+            }
+        }
+
+        return result;
+    }
+
+    private void applyResolvedValuesToCommand(CloneVPCOfferingCmd cmd, VpcOfferingVO sourceOffering,
+                                              List<String> finalServices, Map finalServiceProviderMap,
+                                              List<Long> sourceDomainIds, List<Long> sourceZoneIds,
+                                              Map<String, String> sourceServiceCapabilityList) {
+        try {
+            if (cmd.getSupportedServices() == null || cmd.getSupportedServices().isEmpty()) {
+                logger.debug("Setting supportedServices to {} services from source offering", finalServices.size());
+                ConfigurationManagerImpl.setField(cmd, "supportedServices", finalServices);
+            }
+
+            if (cmd.getServiceProviders() == null || cmd.getServiceProviders().isEmpty()) {
+                Map<String, Map<String, String>> convertedProviderMap = convertToServiceProviderListFormat(finalServiceProviderMap);
+                logger.debug("Setting serviceProviderList with {} provider mappings", convertedProviderMap.size());
+                ConfigurationManagerImpl.setField(cmd, "serviceProviderList", convertedProviderMap);
+            }
+
+            if ((cmd.getServiceCapabilityList() == null || cmd.getServiceCapabilityList().isEmpty())
+                    && sourceServiceCapabilityList != null && !sourceServiceCapabilityList.isEmpty()) {
+                Map<String, String> filteredCapabilities = filterServiceCapabilities(sourceServiceCapabilityList, finalServices);
+                if (!filteredCapabilities.isEmpty()) {
+                    ConfigurationManagerImpl.setField(cmd, "serviceCapabilityList", filteredCapabilities);
+                }
+            }
+
+            if (cmd.getDisplayText() == null && sourceOffering.getDisplayText() != null) {
+                ConfigurationManagerImpl.setField(cmd, "displayText", sourceOffering.getDisplayText());
+            }
+
+            if (cmd.getServiceOfferingId() == null && sourceOffering.getServiceOfferingId() != null) {
+                ConfigurationManagerImpl.setField(cmd, "serviceOfferingId", sourceOffering.getServiceOfferingId());
+            }
+
+            Boolean enableFieldValue = getRawFieldValue(cmd, "enable", Boolean.class);
+            if (enableFieldValue == null) {
+                Boolean enableState = sourceOffering.getState() == VpcOffering.State.Enabled;
+                ConfigurationManagerImpl.setField(cmd, "enable", enableState);
+            }
+
+            Boolean specifyAsNumberFieldValue = getRawFieldValue(cmd, "specifyAsNumber", Boolean.class);
+            if (specifyAsNumberFieldValue == null) {
+                ConfigurationManagerImpl.setField(cmd, "specifyAsNumber", sourceOffering.isSpecifyAsNumber());
+            }
+
+            if (cmd.getInternetProtocol() == null) {
+                String internetProtocol = vpcOfferingDetailsDao.getDetail(sourceOffering.getId(), ApiConstants.INTERNET_PROTOCOL);
+                if (internetProtocol != null) {
+                    ConfigurationManagerImpl.setField(cmd, "internetProtocol", internetProtocol);
+                }
+            }
+
+            if (cmd.getNetworkMode() == null && sourceOffering.getNetworkMode() != null) {
+                ConfigurationManagerImpl.setField(cmd, "networkMode", sourceOffering.getNetworkMode().toString());
+            }
+
+            if (cmd.getRoutingMode() == null && sourceOffering.getRoutingMode() != null) {
+                ConfigurationManagerImpl.setField(cmd, "routingMode", sourceOffering.getRoutingMode().toString());
+            }
+
+            if (cmd.getDomainIds() == null || cmd.getDomainIds().isEmpty()) {
+                if (sourceDomainIds != null && !sourceDomainIds.isEmpty()) {
+                    ConfigurationManagerImpl.setField(cmd, "domainIds", sourceDomainIds);
+                }
+            }
+
+            if (cmd.getZoneIds() == null || cmd.getZoneIds().isEmpty()) {
+                if (sourceZoneIds != null && !sourceZoneIds.isEmpty()) {
+                    ConfigurationManagerImpl.setField(cmd, "zoneIds", sourceZoneIds);
+                }
+            }
+
+        } catch (Exception e) {
+            logger.error("Failed to apply source offering parameters during clone: {}", e.getMessage(), e);
+            throw new CloudRuntimeException("Failed to apply source offering parameters during VPC offering clone", e);
+        }
+    }
+
+    private <T> T getRawFieldValue(Object obj, String fieldName, Class<T> expectedType) {
+        try {
+            java.lang.reflect.Field field = ConfigurationManagerImpl.findField(obj.getClass(), fieldName);
+            if (field != null) {
+                field.setAccessible(true);
+                Object value = field.get(obj);
+                if (value == null || expectedType.isInstance(value)) {
+                    return expectedType.cast(value);
+                }
+            }
+        } catch (Exception e) {
+            logger.debug("Could not get raw field value for {}: {}", fieldName, e.getMessage());
+        }
+        return null;
+    }
+
+    /**
+     * Filters service capabilities to only include those for services present in the final services list.
+     * This ensures that when services are dropped during cloning, their associated capabilities are also removed.
+     *
+     * @param sourceServiceCapabilityList The original capability list from the source VPC offering
+     *                                     in format: Map with keys like "0.service", "0.capabilitytype", "0.capabilityvalue"
+     * @param finalServices The list of service names that should be retained in the cloned offering
+     * @return Filtered map containing only capabilities for services in finalServices
+     */
+    private Map<String, String> filterServiceCapabilities(Map<String, String> sourceServiceCapabilityList,
+                                                          List<String> finalServices) {
+        Map<String, String> filteredCapabilities = new HashMap<>();
+
+        for (Map.Entry<String, String> entry : sourceServiceCapabilityList.entrySet()) {
+            String key = entry.getKey();
+            String value = entry.getValue();
+
+            // Check if this is a service key (e.g., "0.service", "1.service")
+            if (key.endsWith(".service")) {
+                String serviceName = value;
+                if (finalServices.contains(serviceName)) {
+                    // Include this service and its associated capability entries
+                    String prefix = key.substring(0, key.lastIndexOf('.'));
+                    filteredCapabilities.put(key, value);
+
+                    // Also include the capability type and value for this service
+                    String capabilityTypeKey = prefix + ".capabilitytype";
+                    String capabilityValueKey = prefix + ".capabilityvalue";
+                    if (sourceServiceCapabilityList.containsKey(capabilityTypeKey)) {
+                        filteredCapabilities.put(capabilityTypeKey, sourceServiceCapabilityList.get(capabilityTypeKey));
+                    }
+                    if (sourceServiceCapabilityList.containsKey(capabilityValueKey)) {
+                        filteredCapabilities.put(capabilityValueKey, sourceServiceCapabilityList.get(capabilityValueKey));
+                    }
+                }
+            }
+        }
+
+        return filteredCapabilities;
+    }
+
     private void validateConnectivtyServiceCapabilities(final Set<Provider> providers, final Map serviceCapabilitystList) {
         if (serviceCapabilitystList != null && !serviceCapabilitystList.isEmpty()) {
             final Collection serviceCapabilityCollection = serviceCapabilitystList.values();
@@ -2954,6 +3306,20 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
         return true;
     }
 
+    protected boolean isNetworkOnVpc(Network network) {
+        return network.getVpcId() != null;
+    }
+
+    @Override
+    public boolean isNetworkOnVpcEnabledConserveMode(Network newRuleNetwork) {
+        if (isNetworkOnVpc(newRuleNetwork)) {
+            Vpc vpc = getActiveVpc(newRuleNetwork.getVpcId());
+            VpcOfferingVO vpcOffering = vpc != null ? _vpcOffDao.findById(vpc.getVpcOfferingId()) : null;
+            return vpcOffering != null && vpcOffering.isConserveMode();
+        }
+        return false;
+    }
+
     protected boolean applyStaticRoutes(final List<StaticRouteVO> routes, final Account caller, final boolean updateRoutesInDB) throws ResourceUnavailableException {
         final boolean success = true;
         final List<StaticRouteProfile> staticRouteProfiles = getVpcStaticRoutes(routes);
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
index b595d01127c..f8c4d1d44d4 100644
--- a/server/src/main/java/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
@@ -43,6 +43,7 @@ import javax.crypto.spec.SecretKeySpec;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import com.cloud.network.vpc.VpcVO;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.SecurityChecker;
@@ -131,6 +132,7 @@ import org.apache.cloudstack.api.command.admin.management.ListMgmtsCmd;
 import org.apache.cloudstack.api.command.admin.management.RemoveManagementServerCmd;
 import org.apache.cloudstack.api.command.admin.network.AddNetworkDeviceCmd;
 import org.apache.cloudstack.api.command.admin.network.AddNetworkServiceProviderCmd;
+import org.apache.cloudstack.api.command.admin.network.CloneNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateManagementNetworkIpRangeCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateNetworkCmdByAdmin;
 import org.apache.cloudstack.api.command.admin.network.CreateNetworkOfferingCmd;
@@ -161,6 +163,8 @@ import org.apache.cloudstack.api.command.admin.network.UpdateNetworkServiceProvi
 import org.apache.cloudstack.api.command.admin.network.UpdatePhysicalNetworkCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdatePodManagementNetworkIpRangeCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdateStorageNetworkIpRangeCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneDiskOfferingCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateDiskOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.DeleteDiskOfferingCmd;
@@ -275,15 +279,18 @@ import org.apache.cloudstack.api.command.admin.usage.ListUsageTypesCmd;
 import org.apache.cloudstack.api.command.admin.usage.RemoveRawUsageRecordsCmd;
 import org.apache.cloudstack.api.command.admin.usage.UpdateTrafficTypeCmd;
 import org.apache.cloudstack.api.command.admin.user.CreateUserCmd;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
 import org.apache.cloudstack.api.command.admin.user.DisableUserCmd;
 import org.apache.cloudstack.api.command.admin.user.EnableUserCmd;
 import org.apache.cloudstack.api.command.admin.user.GetUserCmd;
 import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeyRulesCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.ListUsersCmd;
 import org.apache.cloudstack.api.command.admin.user.LockUserCmd;
 import org.apache.cloudstack.api.command.admin.user.MoveUserCmd;
-import org.apache.cloudstack.api.command.admin.user.RegisterUserKeyCmd;
+import org.apache.cloudstack.api.command.admin.user.RegisterUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
 import org.apache.cloudstack.api.command.admin.vlan.CreateVlanIpRangeCmd;
 import org.apache.cloudstack.api.command.admin.vlan.DedicatePublicIpRangeCmd;
@@ -324,6 +331,7 @@ import org.apache.cloudstack.api.command.admin.volume.RecoverVolumeCmdByAdmin;
 import org.apache.cloudstack.api.command.admin.volume.ResizeVolumeCmdByAdmin;
 import org.apache.cloudstack.api.command.admin.volume.UpdateVolumeCmdByAdmin;
 import org.apache.cloudstack.api.command.admin.volume.UploadVolumeCmdByAdmin;
+import org.apache.cloudstack.api.command.admin.vpc.CloneVPCOfferingCmd;
 import org.apache.cloudstack.api.command.admin.vpc.CreatePrivateGatewayByAdminCmd;
 import org.apache.cloudstack.api.command.admin.vpc.CreateVPCCmdByAdmin;
 import org.apache.cloudstack.api.command.admin.vpc.CreateVPCOfferingCmd;
@@ -3856,6 +3864,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(AddNetworkDeviceCmd.class);
         cmdList.add(AddNetworkServiceProviderCmd.class);
         cmdList.add(CreateNetworkOfferingCmd.class);
+        cmdList.add(CloneNetworkOfferingCmd.class);
         cmdList.add(CreatePhysicalNetworkCmd.class);
         cmdList.add(CreateStorageNetworkIpRangeCmd.class);
         cmdList.add(DeleteNetworkDeviceCmd.class);
@@ -3876,7 +3885,9 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(ListDedicatedGuestVlanRangesCmd.class);
         cmdList.add(ReleaseDedicatedGuestVlanRangeCmd.class);
         cmdList.add(CreateDiskOfferingCmd.class);
+        cmdList.add(CloneDiskOfferingCmd.class);
         cmdList.add(CreateServiceOfferingCmd.class);
+        cmdList.add(CloneServiceOfferingCmd.class);
         cmdList.add(DeleteDiskOfferingCmd.class);
         cmdList.add(DeleteServiceOfferingCmd.class);
         cmdList.add(IsAccountAllowedToCreateOfferingsWithTagsCmd.class);
@@ -3947,7 +3958,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(ListUsersCmd.class);
         cmdList.add(LockUserCmd.class);
         cmdList.add(MoveUserCmd.class);
-        cmdList.add(RegisterUserKeyCmd.class);
+        cmdList.add(RegisterUserKeysCmd.class);
         cmdList.add(UpdateUserCmd.class);
         cmdList.add(CreateVlanIpRangeCmd.class);
         cmdList.add(UpdateVlanIpRangeCmd.class);
@@ -3961,6 +3972,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(RecoverVMCmd.class);
         cmdList.add(CreatePrivateGatewayCmd.class);
         cmdList.add(CreateVPCOfferingCmd.class);
+        cmdList.add(CloneVPCOfferingCmd.class);
         cmdList.add(DeletePrivateGatewayCmd.class);
         cmdList.add(DeleteVPCOfferingCmd.class);
         cmdList.add(UpdateVPCOfferingCmd.class);
@@ -4375,6 +4387,10 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         cmdList.add(CreateConsoleEndpointCmd.class);
         cmdList.add(ListConsoleSessionsCmd.class);
 
+        cmdList.add(DeleteUserKeysCmd.class);
+        cmdList.add(ListUserKeysCmd.class);
+        cmdList.add(ListUserKeyRulesCmd.class);
+
         //user data APIs
         cmdList.add(RegisterUserDataCmd.class);
         cmdList.add(DeleteUserDataCmd.class);
@@ -4777,7 +4793,13 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         try {
             // get the user obj to get their secret key
             user = _accountMgr.getActiveUser(userId);
-            final String secretKey = user.getSecretKey();
+            ApiKeyPairVO latestKeypair = ApiDBUtils.searchForLatestUserKeyPair(user.getId());
+
+            if (latestKeypair == null) {
+                throw new InvalidParameterValueException(String.format("No API keypair for user [%s]. Please generate it.", user.getUsername()));
+            }
+
+            final String secretKey = latestKeypair.getSecretKey();
             signature = signRequest(cloudIdentifier, secretKey);
         } catch (final Exception e) {
             logger.warn("Exception whilst creating a signature:" + e);
diff --git a/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
index 265a975af24..6886e0e35ce 100644
--- a/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
@@ -35,6 +35,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
 import org.apache.cloudstack.framework.security.keys.KeysManager;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.logging.log4j.Logger;
@@ -543,24 +544,23 @@ public class ConsoleProxyServlet extends HttpServlet {
             txn.close();
             User user = null;
             // verify there is a user with this api key
-            Pair<User, Account> userAcctPair = _accountMgr.findUserByApiKey(apiKey);
-            if (userAcctPair == null) {
+            Ternary<User, Account, ApiKeyPair> keyPairTernary = _accountMgr.findUserByApiKey(apiKey);
+            if (keyPairTernary == null) {
                 LOGGER.debug("apiKey does not map to a valid user -- ignoring request, apiKey: " + apiKey);
                 return false;
             }
 
-            user = userAcctPair.first();
-            Account account = userAcctPair.second();
+            user = keyPairTernary.first();
+            Account account = keyPairTernary.second();
+            ApiKeyPair keyPair = keyPairTernary.third();
 
             if (!user.getState().equals(Account.State.ENABLED) || !account.getState().equals(Account.State.ENABLED)) {
                 LOGGER.debug("disabled or locked user accessing the api, user: {}; state: {}; accountState: {}", user, user.getState(), account.getState());
                 return false;
             }
 
-            // verify secret key exists
-            secretKey = user.getSecretKey();
-            if (secretKey == null) {
-                LOGGER.debug("User does not have a secret key associated with the account -- ignoring request, user: {}", user);
+            if (keyPair == null) {
+                LOGGER.debug("User does not have a keypair associated with the account -- ignoring request, username: {}", user.getUsername());
                 return false;
             }
 
diff --git a/server/src/main/java/com/cloud/user/AccountManager.java b/server/src/main/java/com/cloud/user/AccountManager.java
index c46ac78526b..98d2419e048 100644
--- a/server/src/main/java/com/cloud/user/AccountManager.java
+++ b/server/src/main/java/com/cloud/user/AccountManager.java
@@ -21,6 +21,7 @@ import java.util.List;
 import java.util.Map;
 
 import org.apache.cloudstack.acl.ControlledEntity;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
 import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
 import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
 import org.apache.cloudstack.api.command.admin.user.MoveUserCmd;
@@ -35,7 +36,6 @@ import com.cloud.api.query.vo.ControlledViewEntity;
 import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.projects.Project.ListProjectResourcesCriteria;
-import com.cloud.utils.Pair;
 import com.cloud.utils.Ternary;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@@ -85,7 +85,7 @@ public interface AccountManager extends AccountService, Configurable {
      *            that was created for a particular user
      * @return the user/account pair if one exact match was found, null otherwise
      */
-    Pair<User, Account> findUserByApiKey(String apiKey);
+    Ternary<User, Account, ApiKeyPair> findUserByApiKey(String apiKey);
 
     boolean enableAccount(long accountId);
 
@@ -202,9 +202,13 @@ public interface AccountManager extends AccountService, Configurable {
 
     void validateUserPasswordAndUpdateIfNeeded(String newPassword, UserVO user, String currentPassword, boolean skipCurrentPassValidation);
 
-    void checkApiAccess(Account caller, String command);
+    void checkApiAccess(Account caller, String command, String apiKey);
 
     UserAccount clearUserTwoFactorAuthenticationInSetupStateOnLogin(UserAccount user);
 
     void verifyCallerPrivilegeForUserOrAccountOperations(Account userAccount);
+
+    void verifyCallerPrivilegeForUserOrAccountOperations(User user);
+
+    void checkCallerRoleTypeAllowedForUserOrAccountOperations(Account userAccount, User user);
 }
diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
index 09ef9fe8bec..d9af7af6c33 100644
--- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -25,6 +25,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Comparator;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashSet;
@@ -44,27 +45,48 @@ import javax.crypto.spec.SecretKeySpec;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.user.dao.AccountDao;
+import com.cloud.user.dao.SSHKeyPairDao;
+import com.cloud.user.dao.UserAccountDao;
+import com.cloud.user.dao.UserDao;
 import org.apache.cloudstack.acl.APIChecker;
+import org.apache.cloudstack.acl.ApiKeyPairManagerImpl;
+import org.apache.cloudstack.acl.ApiKeyPairPermissionVO;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.InfrastructureEntity;
 import org.apache.cloudstack.acl.QuerySelector;
 import org.apache.cloudstack.acl.Role;
+import org.apache.cloudstack.acl.RolePermission;
+import org.apache.cloudstack.acl.RolePermissionEntity;
 import org.apache.cloudstack.acl.RoleService;
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairService;
+import org.apache.cloudstack.acl.dao.ApiKeyPairDao;
+import org.apache.cloudstack.acl.dao.ApiKeyPairPermissionsDao;
 import org.apache.cloudstack.affinity.AffinityGroup;
 import org.apache.cloudstack.affinity.dao.AffinityGroupDao;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseAsyncCmd;
 import org.apache.cloudstack.api.command.admin.account.CreateAccountCmd;
 import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
 import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
+import org.apache.cloudstack.api.command.admin.user.DeleteUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeyRulesCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.MoveUserCmd;
-import org.apache.cloudstack.api.command.admin.user.RegisterUserKeyCmd;
+import org.apache.cloudstack.api.command.admin.user.RegisterUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
+import org.apache.cloudstack.api.response.ApiKeyPairResponse;
+import org.apache.cloudstack.api.response.BaseRolePermissionResponse;
+import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.api.response.UserTwoFactorAuthenticationSetupResponse;
 import org.apache.cloudstack.auth.UserAuthenticator;
 import org.apache.cloudstack.auth.UserAuthenticator.ActionOnFailedAuthentication;
@@ -78,6 +100,7 @@ import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.framework.messagebus.MessageBus;
 import org.apache.cloudstack.framework.messagebus.PublishScope;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.query.QueryService;
 import org.apache.cloudstack.network.RoutedIpv4Manager;
 import org.apache.cloudstack.network.dao.NetworkPermissionDao;
 import org.apache.cloudstack.region.gslb.GlobalLoadBalancerRuleDao;
@@ -88,6 +111,8 @@ import org.apache.cloudstack.webhook.WebhookHelper;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 
@@ -170,17 +195,12 @@ import com.cloud.storage.snapshot.SnapshotManager;
 import com.cloud.template.TemplateManager;
 import com.cloud.template.VirtualMachineTemplate;
 import com.cloud.user.Account.State;
-import com.cloud.user.dao.AccountDao;
-import com.cloud.user.dao.SSHKeyPairDao;
-import com.cloud.user.dao.UserAccountDao;
-import com.cloud.user.dao.UserDao;
 import com.cloud.user.dao.UserDataDao;
 import com.cloud.utils.ConstantTimeComparator;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.Pair;
 import com.cloud.utils.Ternary;
 import com.cloud.utils.UuidUtils;
-import com.cloud.utils.StringUtils;
 import com.cloud.utils.component.ComponentContext;
 import com.cloud.utils.component.Manager;
 import com.cloud.utils.component.ManagerBase;
@@ -212,6 +232,8 @@ import com.cloud.vm.snapshot.VMSnapshot;
 import com.cloud.vm.snapshot.VMSnapshotManager;
 import com.cloud.vm.snapshot.VMSnapshotVO;
 import com.cloud.vm.snapshot.dao.VMSnapshotDao;
+import org.apache.cloudstack.api.BaseCmd;
+import org.joda.time.DateTime;
 
 public class AccountManagerImpl extends ManagerBase implements AccountManager, Manager {
 
@@ -228,6 +250,14 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     @Inject
     private InstanceGroupDao _vmGroupDao;
     @Inject
+    private ApiKeyPairDao apiKeyPairDao;
+    @Inject
+    private ApiKeyPairService apiKeyPairService;
+    @Inject
+    private ApiKeyPairPermissionsDao apiKeyPairPermissionsDao;
+    @Inject
+    private ApiKeyPairManagerImpl keyPairManager;
+    @Inject
     private UserAccountDao userAccountDao;
     @Inject
     private VolumeDao _volumeDao;
@@ -294,6 +324,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     @Inject
     private VolumeApiService volumeService;
     @Inject
+    private QueryService queryService;
+    @Inject
     private AffinityGroupDao _affinityGroupDao;
     @Inject
     private AccountGuestVlanMapDao _accountGuestVlanMapDao;
@@ -398,6 +430,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             true,
             ConfigKey.Scope.Domain);
 
+    private Map<RoleType, Set<String>> annotationRoleBasedApisMap = new HashMap<>();
+
     static ConfigKey<Boolean> userAllowMultipleAccounts = new ConfigKey<>("Advanced",
             Boolean.class,
             "user.allow.multiple.accounts",
@@ -424,6 +458,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
 
     protected AccountManagerImpl() {
         super();
+        for (RoleType roleType : RoleType.values()) {
+            annotationRoleBasedApisMap.put(roleType, new HashSet<>());
+        }
     }
 
     public List<UserAuthenticator> getUserAuthenticators() {
@@ -903,6 +940,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         return cleanupAccount(account, callerUserId, caller);
     }
 
+    protected void removeUserApiKeys(Long userId) {
+        List<ApiKeyPairVO> apiKeyPairs = apiKeyPairDao.listApiKeysByUserOrApiKeyId(userId, null).first();
+        apiKeyPairs.forEach(keyPair -> _accountService.deleteApiKey(keyPair));
+    }
+
     protected void cleanupPluginsResourcesIfNeeded(Account account) {
         try {
             KubernetesServiceHelper kubernetesServiceHelper =
@@ -921,6 +963,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
             // cleanup the users from the account
             List<UserVO> users = _userDao.listByAccount(accountId);
             for (UserVO user : users) {
+                removeUserApiKeys(user.getId());
                 if (!_userDao.remove(user.getId())) {
                     logger.error("Unable to delete user: " + user + " as a part of account " + account + " cleanup");
                     accountCleanupNeeded = true;
@@ -1469,16 +1512,25 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         }
     }
 
-    private void checkApiAccess(List<APIChecker> apiCheckers, Account caller, String command) {
+    private void checkApiAccess(List<APIChecker> apiCheckers, Account caller, String command, ApiKeyPairPermission... apiKeyPairPermissions) {
         for (final APIChecker apiChecker : apiCheckers) {
-            apiChecker.checkAccess(caller, command);
+            apiChecker.checkAccess(caller, command, apiKeyPairPermissions);
         }
     }
 
     @Override
-    public void checkApiAccess(Account caller, String command) {
+    public void checkApiAccess(Account caller, String command, String apiKey) {
         List<APIChecker> apiCheckers = getEnabledApiCheckers();
-        checkApiAccess(apiCheckers, caller, command);
+
+        List<ApiKeyPairPermission> keyPairPermissions = new ArrayList<>();
+        if (apiKey != null) {
+            Ternary<User, Account, ApiKeyPair> keyPairTernary = findUserByApiKey(apiKey);
+            if (keyPairTernary != null) {
+                keyPairPermissions = keyPairManager.findAllPermissionsByKeyPairId(keyPairTernary.third().getId(), caller.getRoleId());
+            }
+        }
+
+        checkApiAccess(apiCheckers, caller, command, keyPairPermissions.toArray(new ApiKeyPairPermission[0]));
     }
 
     @NotNull
@@ -1641,8 +1693,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         }
     }
 
-    protected void verifyCallerPrivilegeForUserOrAccountOperations(User user) {
-        logger.debug(String.format("Verifying whether the caller has the correct privileges based on the user's role type and API permissions: %s", user));
+    @Override
+    public void verifyCallerPrivilegeForUserOrAccountOperations(User user) {
+        logger.debug("Verifying whether the caller has the correct privileges based on the user's role type and API permissions: {}", user);
 
         Account userAccount = getAccount(user.getAccountId());
         if (!Account.Type.PROJECT.equals(userAccount.getType())) {
@@ -1651,7 +1704,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         }
     }
 
-    protected void checkCallerRoleTypeAllowedForUserOrAccountOperations(Account userAccount, User user) {
+    @Override
+    public void checkCallerRoleTypeAllowedForUserOrAccountOperations(Account userAccount, User user) {
         Account callingAccount = getCurrentCallingAccount();
         RoleType callerRoleType = getRoleType(callingAccount);
         RoleType userAccountRoleType = getRoleType(userAccount);
@@ -1892,7 +1946,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     }
 
     /**
-     * Validates user API and Secret keys. If a new pair of keys is provided, we update them in the user POJO.
+     * Validates user API and Secret keys. If a new pair of keys is provided, we update them in the key pair POJO.
      * <ul>
      * <li>When updating the keys, it must be provided a pair (API and Secret keys); otherwise, an {@link InvalidParameterValueException} is thrown.
      * <li>If a pair of keys is provided, we validate to see if there is an user already using the provided API key. If there is someone else using, we throw an {@link InvalidParameterValueException} because two users cannot have the same API key.
@@ -1905,19 +1959,25 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         boolean isApiKeyBlank = StringUtils.isBlank(apiKey);
         boolean isSecretKeyBlank = StringUtils.isBlank(secretKey);
         if (isApiKeyBlank ^ isSecretKeyBlank) {
-            throw new InvalidParameterValueException("Please provide a userApiKey/userSecretKey pair");
+            throw new InvalidParameterValueException("Please provide a valid API and secret key pair.");
         }
         if (isApiKeyBlank && isSecretKeyBlank) {
             return;
         }
-        UserAccount apiKeyOwner = userAccountDao.getUserByApiKey(apiKey);
-        if (apiKeyOwner != null) {
-            if (apiKeyOwner.getId() != user.getId()) {
-                throw new InvalidParameterValueException(String.format("The API key [%s] already exists in the system. Please provide a unique key.", apiKey));
-            }
+
+        ApiKeyPairVO lastUserKeyPair = apiKeyPairDao.getLastApiKeyCreatedByUser(user.getId());
+        if (lastUserKeyPair == null) {
+            throw new InvalidParameterValueException(String.format("User [%s] has no active API key pairs to be updated.", user.getUsername()));
         }
-        user.setApiKey(apiKey);
-        user.setSecretKey(secretKey);
+
+        Ternary<User, Account, ApiKeyPair> keyPairTernary = findUserByApiKey(apiKey);
+        if (keyPairTernary != null) {
+            throw new InvalidParameterValueException(String.format("The API key [%s] already exists in the system. Please provide a unique key.", apiKey));
+        }
+
+        lastUserKeyPair.setApiKey(apiKey);
+        lastUserKeyPair.setSecretKey(secretKey);
+        apiKeyPairDao.update(lastUserKeyPair.getId(), lastUserKeyPair);
     }
 
     protected void validateAndUpdateUserApiKeyAccess(UpdateUserCmd updateUserCmd, UserVO user) {
@@ -2418,6 +2478,9 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         // don't allow to delete the user from the account of type Project
         checkAccountAndAccess(user, account);
         verifyCallerPrivilegeForUserOrAccountOperations(user);
+
+        removeUserApiKeys(id);
+
         return _userDao.remove(id);
     }
 
@@ -2457,8 +2520,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                 UserVO newUser = new UserVO(user);
                 user.setExternalEntity(user.getUuid());
                 user.setUuid(UUID.randomUUID().toString());
-                user.setApiKey(null);
-                user.setSecretKey(null);
                 _userDao.update(user.getId(), user);
                 newUser.setAccountId(newAccountId);
                 boolean success = _userDao.remove(user.getId());
@@ -3094,37 +3155,46 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     }
 
     @Override
-    public Pair<User, Account> findUserByApiKey(String apiKey) {
-        UserAccount userAccount = userAccountDao.getUserByApiKey(apiKey);
-        if (userAccount != null) {
-            User user = _userDao.getUser(userAccount.getId());
-            Account account = _accountDao.findById(userAccount.getAccountId());
-            return new Pair<>(user, account);
-        } else {
+    public Ternary<User, Account, ApiKeyPair> findUserByApiKey(String apiKey) {
+        ApiKeyPairVO keyPairVO = apiKeyPairDao.findByApiKey(apiKey);
+        if (keyPairVO == null) {
             return null;
         }
+
+        User user = _userDao.getUser(keyPairVO.getUserId());
+        Account account = _accountDao.findById(keyPairVO.getAccountId());
+        return new Ternary<>(user, account, keyPairVO);
     }
 
     @Override
     public Pair<Boolean, Map<String, String>> getKeys(GetUserKeysCmd cmd) {
-        final long userId = cmd.getID();
-        return getKeys(userId);
-    }
-
-    @Override
-    public Pair<Boolean, Map<String, String>> getKeys(Long userId) {
+        final long userId = cmd.getId();
         User user = getActiveUser(userId);
         if (user == null) {
-            throw new InvalidParameterValueException("Unable to find user by id");
+            throw new InvalidParameterValueException(String.format("Unable to find active user with ID [%s].", userId));
         }
-        final Account account = getAccount(getUserAccountById(userId).getAccountId()); //Extracting the Account from the userID of the requested user.
+        final Account account = getAccount(user.getAccountId());
         User caller = CallContext.current().getCallingUser();
         checkAccess(caller, account);
         verifyCallerPrivilegeForUserOrAccountOperations(user);
 
+        String accessingApiKey = getAccessingApiKey(cmd);
+        ApiKeyPair keyPair;
+        if (accessingApiKey != null) {
+            ApiKeyPair accessingKeyPair = apiKeyPairService.findByApiKey(accessingApiKey);
+            if (userId == accessingKeyPair.getUserId()) {
+                keyPair = apiKeyPairService.findByApiKey(accessingApiKey);
+            } else {
+                keyPair = _accountService.getLatestUserKeyPair(userId);
+            }
+        } else {
+            keyPair = _accountService.getLatestUserKeyPair(userId);
+        }
+
         Map<String, String> keys = new HashMap<>();
-        keys.put("apikey", user.getApiKey());
-        keys.put("secretkey", user.getSecretKey());
+        boolean isAllowed = keyPair != null && isAccessingKeypairSuperset(keyPair, cmd);
+        keys.put("apikey", isAllowed ? keyPair.getApiKey() : null);
+        keys.put("secretkey", isAllowed ? keyPair.getSecretKey() : null);
 
         Boolean apiKeyAccess = user.getApiKeyAccess();
         if (apiKeyAccess == null) {
@@ -3137,6 +3207,206 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         return new Pair<>(apiKeyAccess, keys);
     }
 
+    @Override
+    public ListResponse<ApiKeyPairResponse> listKeys(ListUserKeysCmd cmd) {
+        ListResponse<ApiKeyPairResponse> finalResponse = new ListResponse<>();
+        List<ApiKeyPairResponse> responses = new ArrayList<>();
+
+        if (cmd.getKeyId() != null || cmd.getApiKeyFilter() != null) {
+            fetchOnlyOneKeyPair(responses, cmd);
+            finalResponse.setResponses(responses);
+            return finalResponse;
+        }
+
+        Integer total = fetchMultipleKeyPairs(responses, cmd);
+        finalResponse.setResponses(responses, total);
+        return finalResponse;
+    }
+
+    private void fetchOnlyOneKeyPair(List<ApiKeyPairResponse> responses, ListUserKeysCmd cmd) {
+        ApiKeyPair keyPair;
+        if (cmd.getKeyId() != null) {
+            keyPair = _accountService.getKeyPairById(cmd.getKeyId());
+        } else {
+            keyPair = _accountService.getKeyPairByApiKey(cmd.getApiKeyFilter());
+        }
+
+        validateKeyPairIsNotNull(keyPair);
+        validateAccessingKeyPairPermissionsIsSupersetOfAccessedKeyPair(keyPair, cmd);
+        validateAccessToApiKey(keyPair);
+        removeApiKeyPairIfExpired(keyPair);
+
+        addKeypairResponse(keyPair, responses, cmd);
+    }
+
+    private void validateAccessToApiKey(ApiKeyPair keyPair) {
+        Account caller = getCurrentCallingAccount();
+        logger.debug("Verifying if caller [{}] has access to API key pair whose ID is [{}].", caller.getAccountName(), keyPair.getUuid());
+        Account account = _accountDao.findById(keyPair.getAccountId());
+        checkAccess(caller, null, false, account);
+        _accountService.validateCallingUserHasAccessToDesiredUser(keyPair.getUserId());
+    }
+
+    private Integer fetchMultipleKeyPairs(List<ApiKeyPairResponse> responses, ListUserKeysCmd cmd) {
+        List<Long> users;
+        if (cmd.getUserId() != null) {
+            _accountService.validateCallingUserHasAccessToDesiredUser(cmd.getUserId());
+            users = List.of(cmd.getUserId());
+        } else {
+            User callerUser = CallContext.current().getCallingUser();
+            users = cmd.getListAll() && isAdmin(callerUser.getAccountId()) ? queryService.searchForAccessibleUsers() : List.of(callerUser.getId());
+        }
+
+        Pair<List<ApiKeyPairVO>, Integer> keyPairs = apiKeyPairDao.listByUserIdsPaginated(users, cmd);
+        keyPairs.first().stream()
+                .filter(keyPair -> isAccessingKeypairSuperset(keyPair, cmd))
+                .forEach(keyPair -> {
+                    addKeypairResponse(keyPair, responses, cmd);
+                    removeApiKeyPairIfExpired(keyPair);
+                });
+
+        return keyPairs.second();
+    }
+
+    @Override
+    public List<ApiKeyPairPermission> listKeyRules(ListUserKeyRulesCmd cmd) {
+        ApiKeyPair keyPair = apiKeyPairService.findById(cmd.getId());
+
+        validateKeyPairIsNotNull(keyPair);
+        validateAccessingKeyPairPermissionsIsSupersetOfAccessedKeyPair(keyPair, cmd);
+        _accountService.validateCallingUserHasAccessToDesiredUser(keyPair.getUserId());
+
+        Account account = _accountDao.findById(keyPair.getAccountId());
+        return apiKeyPairService.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId());
+    }
+
+    private void validateKeyPairIsNotNull(ApiKeyPair keyPair) {
+        if (keyPair == null) {
+            logger.info("Keypair not found.");
+            throw new InvalidParameterValueException("Could not complete request.");
+        }
+    }
+
+    private void validateAccessingKeyPairPermissionsIsSupersetOfAccessedKeyPair(ApiKeyPair keyPair, BaseCmd cmd) {
+        if (!isAccessingKeypairSuperset(keyPair, cmd)) {
+            logger.info("Accessing API key pair [{}] has less permissions than accessed API key pair.", keyPair.getId());
+            throw new PermissionDeniedException("Could not complete request.");
+        }
+    }
+
+    private Boolean isAccessingKeypairSuperset(ApiKeyPair accessedKeyPair, BaseCmd cmd) {
+        String apiKey = getAccessingApiKey(cmd);
+        if (apiKey == null) {
+            return Boolean.TRUE;
+        }
+        ApiKeyPair accessingKeyPair = apiKeyPairService.findByApiKey(apiKey);
+        return isApiKeySupersetOfPermission(new ArrayList<>(getAllKeypairPermissions(accessingKeyPair.getApiKey())), new ArrayList<>(getAllKeypairPermissions(accessedKeyPair.getApiKey())));
+    }
+
+    @Override
+    public String getAccessingApiKey(BaseCmd cmd) {
+        try {
+            if (cmd instanceof BaseAsyncCmd && ((BaseAsyncCmd) cmd).getJob().toString().contains("\"signature\"")) {
+                return parseApiKeyFromAsyncJob((BaseAsyncCmd) cmd);
+            }
+            boolean accessedByApiKey = cmd.getFullUrlParams().containsKey(ApiConstants.SIGNATURE);
+            String accessingApiKey = cmd.getFullUrlParams().get("apiKey");
+            if (accessedByApiKey) {
+                return accessingApiKey;
+            }
+        } catch (NullPointerException e) {
+            logger.info("Accessing API through session.");
+        }
+        return null;
+    }
+
+    private String parseApiKeyFromAsyncJob(BaseAsyncCmd cmd) {
+        String jobString = cmd.getJob().toString();
+        int indexOfApiKey = jobString.indexOf("apiKey") + 9;
+        return jobString.substring(indexOfApiKey, jobString.indexOf("\"", indexOfApiKey));
+    }
+
+    private Boolean isApiKeySupersetOfPermission(List<RolePermissionEntity> baseKeyPairPermissions, List<RolePermissionEntity> comparedPermissions) {
+        Map<String, RolePermissionEntity> apiNameToBaseKeyPermissions = roleService.getRoleRulesAndPermissions(baseKeyPairPermissions);
+
+        return roleService.roleHasPermission(apiNameToBaseKeyPermissions, comparedPermissions);
+    }
+
+    private void removeApiKeyPairIfExpired(ApiKeyPair apiKeyPair) {
+        if (apiKeyPair.hasEndDatePassed()) {
+            internalDeleteApiKey(apiKeyPair);
+        }
+    }
+
+    public void deleteApiKey(DeleteUserKeysCmd cmd) {
+        ApiKeyPair keyPair = apiKeyPairService.findById(cmd.getId());
+        if (keyPair == null) {
+            throw new InvalidParameterValueException(String.format("No keypair found with the ID [%s].", cmd.getId()));
+        }
+        _accountService.validateCallingUserHasAccessToDesiredUser(keyPair.getUserId());
+
+        deleteApiKey(keyPair);
+    }
+
+    @Override
+    public void validateCallingUserHasAccessToDesiredUser(Long userId) {
+        User desiredUser = _userDao.getUser(userId);
+        if (desiredUser == null) {
+            throw new CloudRuntimeException(String.format("Unable to find user with ID [%s].", userId));
+        }
+        verifyCallerPrivilegeForUserOrAccountOperations(desiredUser);
+    }
+
+    @Override
+    public void deleteApiKey(ApiKeyPair keyPair) {
+        User user = _userDao.findByIdIncludingRemoved(keyPair.getUserId());
+        if (user == null) {
+            throw new InvalidParameterValueException("User associated with the API key pair does not exist.");
+        }
+
+        if ((BaremetalUtils.BAREMETAL_SYSTEM_ACCOUNT_NAME.equals(user.getUsername()) || user.getId() == User.UID_SYSTEM)
+                && Boolean.parseBoolean(_configDao.getValue(Config.BaremetalProvisionDoneNotificationEnabled.key()))) {
+            throw new PermissionDeniedException(String.format("User ID [%s] is a system account and the global setting " +
+                    "baremetal.provision.done.notification is enabled. Therefore, it is not possible to delete API key pairs. If you wish to delete " +
+                    "the baremetal user/account or their API Key, please disable the baremetal.provision.done.notification configuration.", user.getUuid()));
+        }
+        internalDeleteApiKey(keyPair);
+    }
+
+    private void internalDeleteApiKey(ApiKeyPair keyPair) {
+        List<ApiKeyPairPermissionVO> permissions = apiKeyPairPermissionsDao.findAllByApiKeyPairId(keyPair.getId());
+        for (ApiKeyPairPermission permission : permissions) {
+            apiKeyPairPermissionsDao.remove(permission.getId());
+        }
+        apiKeyPairDao.remove(keyPair.getId());
+    }
+
+    private void addKeypairResponse(ApiKeyPair keyPair, List<ApiKeyPairResponse> responses, ListUserKeysCmd cmd) {
+        if (keyPair == null) {
+            return;
+        }
+        ApiKeyPairResponse response = cmd._responseGenerator.createKeyPairResponse(keyPair);
+        if (Boolean.TRUE.equals(cmd.getShowPermissions())) {
+            Account account = _accountDao.findById(keyPair.getAccountId());
+            List<ApiKeyPairPermission> apiKeyPairPermissions = apiKeyPairService.findAllPermissionsByKeyPairId(keyPair.getId(), account.getRoleId());
+            response.setPermissions(apiKeyPairPermissions.stream().map(apiKeyPairPermission -> {
+                BaseRolePermissionResponse rolePermissionResponse = new BaseRolePermissionResponse();
+                rolePermissionResponse.setRule(apiKeyPairPermission.getRule());
+                rolePermissionResponse.setDescription(apiKeyPairPermission.getDescription());
+                rolePermissionResponse.setRulePermission(apiKeyPairPermission.getPermission());
+
+                return rolePermissionResponse;
+            }).collect(Collectors.toList()));
+        }
+        response.setObjectName(ApiConstants.USER_API_KEY);
+        responses.add(response);
+    }
+
+    @Override
+    public ApiKeyPair getKeyPairById(Long id) {
+        return apiKeyPairDao.findById(id);
+    }
+
     protected void preventRootDomainAdminAccessToRootAdminKeys(User caller, ControlledEntity account) {
         if (isDomainAdminForRootDomain(caller) && isRootAdmin(account.getAccountId())) {
             String msg = String.format("Caller Username %s does not have access to root admin keys", caller.getUsername());
@@ -3150,6 +3420,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         return caller.getType() == Account.Type.DOMAIN_ADMIN && caller.getDomainId() == Domain.ROOT_DOMAIN;
     }
 
+    @Override
+    public ApiKeyPair getKeyPairByApiKey(String apiKey) {
+        return apiKeyPairDao.findByApiKey(apiKey);
+    }
+
     @Override
     public List<UserTwoFactorAuthenticator> listUserTwoFactorAuthenticationProviders() {
         return userTwoFactorAuthenticationProviders;
@@ -3174,39 +3449,43 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     @Override
     @DB
     @ActionEvent(eventType = EventTypes.EVENT_REGISTER_FOR_SECRET_API_KEY, eventDescription = "register for the developer API keys")
-    public String[] createApiKeyAndSecretKey(RegisterUserKeyCmd cmd) {
+    public ApiKeyPair createApiKeyAndSecretKey(RegisterUserKeysCmd cmd) {
         Account caller = getCurrentCallingAccount();
-        final Long userId = cmd.getId();
-
-        User user = getUserIncludingRemoved(userId);
+        User user = _userDao.findById(cmd.getUserId());
         if (user == null) {
-            throw new InvalidParameterValueException("unable to find user by id");
+            throw new InvalidParameterValueException(String.format("Unable to find user by ID: %d", cmd.getUserId()));
         }
 
+        final String name = cmd.getName();
+        final long userId = user.getId();
+        final String description = cmd.getDescription();
+        final Date startDate = cmd.getStartDate();
+        final Date endDate = cmd.getEndDate();
+        final List<Map<String, Object>> rules = cmd.getRules();
+
         Account account = _accountDao.findById(user.getAccountId());
         checkAccess(caller, null, true, account);
         verifyCallerPrivilegeForUserOrAccountOperations(user);
 
-        // don't allow updating system user
-        if (user.getId() == User.UID_SYSTEM) {
-            throw new PermissionDeniedException(String.format("user: %s is system account, update is not allowed", user));
-        }
-        // don't allow baremetal system user
-        if (BaremetalUtils.BAREMETAL_SYSTEM_ACCOUNT_NAME.equals(user.getUsername())) {
-            throw new PermissionDeniedException(String.format("user: %s is system account, update is not allowed", user));
+        if (BaremetalUtils.BAREMETAL_SYSTEM_ACCOUNT_NAME.equals(user.getUsername()) || user.getId() == User.UID_SYSTEM) {
+            throw new PermissionDeniedException(String.format("User ID: [%s] is a system account and, thus, the operation is not allowed.", user.getId()));
         }
 
-        // generate both an api key and a secret key, update the user table with the keys, return the keys to the user
-        final String[] keys = new String[2];
-        Transaction.execute(new TransactionCallbackNoReturn() {
-            @Override
-            public void doInTransactionWithoutResult(TransactionStatus status) {
-                keys[0] = createUserApiKey(userId);
-                keys[1] = createUserSecretKey(userId);
-            }
+        Date now = DateTime.now().toDate();
+
+        if (endDate != null && endDate.compareTo(now) <= 0) {
+            throw new InvalidParameterValueException("Keypair cannot be created with expired date, please input a date in the future.");
+        }
+        if (ObjectUtils.allNotNull(startDate, endDate) && startDate.compareTo(endDate) > -1) {
+            throw new InvalidParameterValueException("Please specify an end date that is after the start date.");
+        }
+
+        final ApiKeyPairVO newApiKeyPair = new ApiKeyPairVO(name, userId, description, startDate, endDate, account);
+        return Transaction.execute((TransactionCallback<ApiKeyPairVO>) status -> {
+            createUserApiKey(userId, newApiKeyPair);
+            createUserSecretKey(userId, newApiKeyPair);
+            return validateAndPersistKeyPairAndPermissions(account, newApiKeyPair, rules, cmd);
         });
-
-        return keys;
     }
 
     @Override
@@ -3221,37 +3500,91 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         Account account = _accountDao.findById(user.getAccountId());
         checkAccess(caller, null, true, account);
         final String[] keys = new String[2];
+        ApiKeyPairVO newTokenKeyPair = new ApiKeyPairVO();
+        newTokenKeyPair.setName(String.valueOf(userId));
+        newTokenKeyPair.setAccountId(user.getAccountId());
+        newTokenKeyPair.setDomainId(account.getDomainId());
+        newTokenKeyPair.setUserId(userId);
+
         Transaction.execute(new TransactionCallbackNoReturn() {
             @Override
             public void doInTransactionWithoutResult(TransactionStatus status) {
-                keys[0] = AccountManagerImpl.this.createUserApiKey(userId);
-                keys[1] = AccountManagerImpl.this.createUserSecretKey(userId);
+                keys[0] = createUserApiKey(userId, newTokenKeyPair);
+                keys[1] = createUserSecretKey(userId, newTokenKeyPair);
+                apiKeyPairDao.persist(newTokenKeyPair);
             }
         });
         return keys;
     }
 
-    private String createUserApiKey(long userId) {
-        try {
-            UserVO updatedUser = _userDao.createForUpdate();
+    /**
+     * Persists the API key pair and its corresponding permissions. Verifies whether
+     * the key pair being created is a superset of its owner's permissions.
+     * @param account Account owner of the key pair.
+     * @param newApiKeyPair The key pair object to be persisted.
+     * @param rules The set of rules of the key pair.
+     * @param cmd The API's command.
+     * @return The persisted key pair object.
+     */
+    @DB
+    private ApiKeyPairVO validateAndPersistKeyPairAndPermissions(Account account, ApiKeyPairVO newApiKeyPair,
+                                                                 List<Map<String, Object>> rules, RegisterUserKeysCmd cmd) {
+        String accessingApiKey = getAccessingApiKey(cmd);
+        final Role accountRole = roleService.findRole(account.getRoleId());
+        List<RolePermissionEntity> allPermissions = accessingApiKey == null ?
+                roleService.findAllRolePermissionsEntityBy(accountRole.getId(), true) : getAllKeypairPermissions(accessingApiKey);
 
+        List<RolePermissionEntity> permissions = new ArrayList<>();
+        for (Map<String, Object> ruleDetail : rules) {
+            String rule = ruleDetail.get(ApiConstants.RULE).toString();
+            RolePermission.Permission rulePermission = (RolePermission.Permission) ruleDetail.get(ApiConstants.PERMISSION);
+            String ruleDescription = (String) ruleDetail.get(ApiConstants.DESCRIPTION);
+            permissions.add(new ApiKeyPairPermissionVO(0, rule, rulePermission, ruleDescription));
+        }
+
+        if (!isApiKeySupersetOfPermission(allPermissions, permissions)) {
+            throw new InvalidParameterValueException(String.format("The key pair being created has a bigger set of permissions than the account [%s] " +
+                    "that owns it. This is not allowed.", account.getUuid()));
+        }
+
+        ApiKeyPairVO savedApiKeyPair = apiKeyPairDao.persist(newApiKeyPair);
+        permissions.forEach(permission -> {
+            ApiKeyPairPermissionVO permissionVO = (ApiKeyPairPermissionVO) permission;
+            permissionVO.setApiKeyPairId(savedApiKeyPair.getId());
+            apiKeyPairPermissionsDao.persist(permissionVO);
+        });
+        return savedApiKeyPair;
+    }
+
+    @Override
+    public List<RolePermissionEntity> getAllKeypairPermissions(String apiKey) {
+        if (apiKey == null) {
+            throw new InvalidParameterValueException("API key not present in the request's URL and, thus, unable to fetch API key rules.");
+        }
+        ApiKeyPair apiKeyPair = keyPairManager.findByApiKey(apiKey);
+        Account account = _accountDao.findById(apiKeyPair.getAccountId());
+        List<ApiKeyPairPermission> keyPairPermissions = keyPairManager.findAllPermissionsByKeyPairId(apiKeyPair.getId(), account.getRoleId());
+        return new ArrayList<>(keyPairPermissions);
+    }
+
+    private String createUserApiKey(long userId, ApiKeyPairVO newApiKeyPair) {
+        try {
             String encodedKey;
-            UserAccount userAcct;
+            ApiKeyPair keyPair;
             int retryLimit = 10;
             do {
                 // FIXME: what algorithm should we use for API keys?
                 KeyGenerator generator = KeyGenerator.getInstance("HmacSHA1");
                 SecretKey key = generator.generateKey();
                 encodedKey = Base64.encodeBase64URLSafeString(key.getEncoded());
-                userAcct = userAccountDao.getUserByApiKey(encodedKey);
+                keyPair = apiKeyPairDao.findByApiKey(encodedKey);
                 retryLimit--;
-            } while ((userAcct != null) && (retryLimit >= 0));
+            } while ((keyPair != null) && (retryLimit >= 0));
 
-            if (userAcct != null) {
+            if (keyPair != null) {
                 return null;
             }
-            updatedUser.setApiKey(encodedKey);
-            _userDao.update(userId, updatedUser);
+            newApiKeyPair.setApiKey(encodedKey);
             return encodedKey;
         } catch (NoSuchAlgorithmException ex) {
             logger.error("error generating secret key for user {}", userAccountDao.findById(userId), ex);
@@ -3259,26 +3592,24 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         return null;
     }
 
-    private String createUserSecretKey(long userId) {
+    private String createUserSecretKey(long userId, ApiKeyPairVO newApiKeyPair) {
         try {
-            UserVO updatedUser = _userDao.createForUpdate();
             String encodedKey;
             int retryLimit = 10;
-            UserVO userBySecretKey;
+            ApiKeyPairVO keyPairVO;
             do {
                 KeyGenerator generator = KeyGenerator.getInstance("HmacSHA1");
                 SecretKey key = generator.generateKey();
                 encodedKey = Base64.encodeBase64URLSafeString(key.getEncoded());
-                userBySecretKey = _userDao.findUserBySecretKey(encodedKey);
+                keyPairVO = apiKeyPairDao.findBySecretKey(encodedKey);
                 retryLimit--;
-            } while ((userBySecretKey != null) && (retryLimit >= 0));
+            } while ((keyPairVO != null) && (retryLimit >= 0));
 
-            if (userBySecretKey != null) {
+            if (keyPairVO != null) {
                 return null;
             }
 
-            updatedUser.setSecretKey(encodedKey);
-            _userDao.update(userId, updatedUser);
+            newApiKeyPair.setSecretKey(encodedKey);
             return encodedKey;
         } catch (NoSuchAlgorithmException ex) {
             logger.error("error generating secret key for user {}", userAccountDao.findById(userId), ex);
@@ -3286,6 +3617,10 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         return null;
     }
 
+    public ApiKeyPair getLatestUserKeyPair(Long userId) {
+        return ApiDBUtils.searchForLatestUserKeyPair(userId);
+    }
+
     @Override
     public void buildACLSearchBuilder(SearchBuilder<? extends ControlledEntity> sb, Long domainId, boolean isRecursive, List<Long> permittedAccounts,
             ListProjectResourcesCriteria listProjectResourcesCriteria) {
@@ -3492,7 +3827,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
 
     @Override
     public UserAccount getUserByApiKey(String apiKey) {
-        return userAccountDao.getUserByApiKey(apiKey);
+        ApiKeyPairVO keyPair = apiKeyPairDao.findByApiKey(apiKey);
+        return userAccountDao.findById(keyPair.getUserId());
     }
 
     @Override
@@ -3553,9 +3889,10 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     @Override
     public UserAccount getUserAccountById(Long userId) {
         UserAccount userAccount = userAccountDao.findById(userId);
-        Map<String, String> details = _userDetailsDao.listDetailsKeyPairs(userId);
-        userAccount.setDetails(details);
-
+        if (userAccount != null) {
+            Map<String, String> details = _userDetailsDao.listDetailsKeyPairs(userId);
+            userAccount.setDetails(details);
+        }
         return userAccount;
     }
 
diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
index 36f1f7a2f12..4597ef81965 100644
--- a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java
@@ -60,6 +60,7 @@ import javax.naming.ConfigurationException;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.ParserConfigurationException;
 
+import com.cloud.serializer.GsonHelper;
 import com.cloud.storage.SnapshotPolicyVO;
 import com.cloud.storage.dao.SnapshotPolicyDao;
 import org.apache.cloudstack.acl.ControlledEntity;
@@ -132,6 +133,7 @@ import org.apache.cloudstack.framework.async.AsyncCallFuture;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
 import org.apache.cloudstack.framework.messagebus.MessageBus;
 import org.apache.cloudstack.framework.messagebus.PublishScope;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
@@ -651,6 +653,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
 
     protected static long ROOT_DEVICE_ID = 0;
 
+    private final Type jobParamsType = new TypeToken<HashMap<String, String>>() {}.getType();
+
     public List<KubernetesServiceHelper> getKubernetesServiceHelpers() {
         return kubernetesServiceHelpers;
     }
@@ -3459,14 +3463,14 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         return AllowUserExpungeRecoverVm.valueIn(accountId);
     }
 
-    protected void checkExpungeVmPermission (Account callingAccount) {
+    protected void checkExpungeVmPermission(Account callingAccount, String apiKey) {
         logger.debug(String.format("Checking if [%s] has permission for expunging VMs.", callingAccount));
         if (!_accountMgr.isAdmin(callingAccount.getId()) && !getConfigAllowUserExpungeRecoverVm(callingAccount.getId())) {
             logger.error(String.format("Parameter [%s] can only be passed by Admin accounts or when the allow.user.expunge.recover.vm key is true.", ApiConstants.EXPUNGE));
             throw new PermissionDeniedException("Account does not have permission for expunging.");
         }
         try {
-            _accountMgr.checkApiAccess(callingAccount, BaseCmd.getCommandNameByClass(ExpungeVMCmd.class));
+            _accountMgr.checkApiAccess(callingAccount, BaseCmd.getCommandNameByClass(ExpungeVMCmd.class), apiKey);
         } catch (PermissionDeniedException ex) {
             logger.error(String.format("Role [%s] of [%s] does not have permission for expunging VMs.", callingAccount.getRoleId(), callingAccount));
             throw new PermissionDeniedException("Account does not have permission for expunging.");
@@ -3491,7 +3495,10 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         boolean expunge = cmd.getExpunge();
 
         if (expunge) {
-            checkExpungeVmPermission(ctx.getCallingAccount());
+            String jobParamsString = ((AsyncJobVO) cmd.getJob()).getCmdInfo();
+            HashMap<String,String> jobParams = GsonHelper.getGson().fromJson(jobParamsString, jobParamsType);
+            String apiKey = jobParams.get("apiKey");
+            checkExpungeVmPermission(ctx.getCallingAccount(), apiKey);
         }
 
         // check if VM exists
diff --git a/server/src/main/java/org/apache/cloudstack/acl/ApiKeyPairManagerImpl.java b/server/src/main/java/org/apache/cloudstack/acl/ApiKeyPairManagerImpl.java
new file mode 100644
index 00000000000..07ad3835167
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/acl/ApiKeyPairManagerImpl.java
@@ -0,0 +1,87 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl;
+
+import com.cloud.utils.component.ManagerBase;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.stream.Collectors;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairService;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairPermission;
+import org.apache.cloudstack.acl.dao.ApiKeyPairDao;
+import org.apache.cloudstack.acl.dao.ApiKeyPairPermissionsDao;
+import org.apache.commons.collections.CollectionUtils;
+
+import javax.inject.Inject;
+import java.util.List;
+
+public class ApiKeyPairManagerImpl extends ManagerBase implements ApiKeyPairService {
+    @Inject
+    private ApiKeyPairDao apiKeyPairDao;
+    @Inject
+    private ApiKeyPairPermissionsDao apiKeyPairPermissionsDao;
+    @Inject
+    private RoleService roleService;
+
+    @Override
+    public List<ApiKeyPairPermission> findAllPermissionsByKeyPairId(Long apiKeyPairId, Long roleId) {
+        List<ApiKeyPairPermissionVO> keyPairPermissions = apiKeyPairPermissionsDao.findAllByKeyPairIdSorted(apiKeyPairId);
+        List<RolePermissionEntity> rolePermissions = roleService.findAllRolePermissionsEntityBy(roleId, true);
+
+        if (CollectionUtils.isEmpty(keyPairPermissions)) {
+            return rolePermissions.stream()
+                    .map(rolePermission -> new ApiKeyPairPermissionVO(rolePermission.getRule().getRuleString(), rolePermission.getPermission(), rolePermission.getDescription()))
+                    .collect(Collectors.toList());
+        }
+
+        Map<String, RolePermissionEntity> rolePermissionInfo = roleService.getRoleRulesAndPermissions(rolePermissions);
+        if (roleService.roleHasPermission(rolePermissionInfo, new ArrayList<>(keyPairPermissions))) {
+            return new ArrayList<>(keyPairPermissions);
+        }
+
+        Map<String, RolePermissionEntity> keyPairPermissionInfo = roleService.getRoleRulesAndPermissions(new ArrayList<>(keyPairPermissions));
+        return getRulesToBeKeptForTheKeyPair(rolePermissionInfo, keyPairPermissionInfo)
+                .entrySet().stream().map((permission) -> new ApiKeyPairPermissionVO(permission.getKey(), permission.getValue().getPermission(), permission.getValue().getDescription()))
+                .collect(Collectors.toList());
+    }
+
+    private Map<String, RolePermissionEntity> getRulesToBeKeptForTheKeyPair(Map<String, RolePermissionEntity> rolePermissions, Map<String, RolePermissionEntity> keyPairPermissions) {
+        Map<String, RolePermissionEntity> rulesToBeKept = new HashMap<>();
+        for (Map.Entry<String, RolePermissionEntity> keyPairPermission : keyPairPermissions.entrySet()) {
+            String rule = keyPairPermission.getKey();
+            RolePermissionEntity permission = keyPairPermission.getValue();
+            boolean permissionGrantedByRole = rolePermissions.containsKey(rule) && rolePermissions.get(rule).getPermission() == RolePermissionEntity.Permission.ALLOW;
+            if (permission.getPermission() == RolePermissionEntity.Permission.ALLOW && permissionGrantedByRole) {
+                rulesToBeKept.put(rule, permission);
+            }
+        }
+        return rulesToBeKept;
+    }
+
+    @Override
+    public ApiKeyPair findByApiKey(String apiKey) {
+        return apiKeyPairDao.findByApiKey(apiKey);
+    }
+
+    @Override
+    public ApiKeyPair findById(Long id) {
+        return apiKeyPairDao.findById(id);
+    }
+}
diff --git a/server/src/main/java/org/apache/cloudstack/acl/RoleManagerImpl.java b/server/src/main/java/org/apache/cloudstack/acl/RoleManagerImpl.java
index d1ae1b44a51..0cf874d9a7f 100644
--- a/server/src/main/java/org/apache/cloudstack/acl/RoleManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/acl/RoleManagerImpl.java
@@ -75,6 +75,7 @@ public class RoleManagerImpl extends ManagerBase implements RoleService, Configu
     private RolePermissionsDao rolePermissionsDao;
     @Inject
     private AccountManager accountManager;
+    private List<APIChecker> apiAccessCheckers;
 
     public void checkCallerAccess() {
         if (!isEnabled()) {
@@ -449,20 +450,21 @@ public class RoleManagerImpl extends ManagerBase implements RoleService, Configu
     /**
      *  Removes roles from the given list if the role has different or more permissions than the user's calling the method role
      */
-    protected int removeRolesIfNeeded(List<? extends Role> roles) {
+    @Override
+    public int removeRolesIfNeeded(List<? extends Role> roles) {
         if (roles.isEmpty()) {
             return 0;
         }
 
         Long callerRoleId = getCurrentAccount().getRoleId();
-        Map<String, Permission> callerRolePermissions = getRoleRulesAndPermissions(callerRoleId);
+        Map<String, RolePermissionEntity> callerRolePermissions = getRoleRulesAndPermissions(findAllRolePermissionsEntityBy(callerRoleId, false));
 
         int count = 0;
         Iterator<? extends Role> rolesIterator = roles.iterator();
         while (rolesIterator.hasNext()) {
             Role role = rolesIterator.next();
 
-            if (role.getId() == callerRoleId || roleHasPermission(callerRolePermissions, role)) {
+            if (role.getId() == callerRoleId || roleHasPermission(callerRolePermissions, findAllRolePermissionsEntityBy(role.getId(), false))) {
                 continue;
             }
 
@@ -473,17 +475,11 @@ public class RoleManagerImpl extends ManagerBase implements RoleService, Configu
         return count;
     }
 
-    /**
-     * Checks if the role of the caller account has compatible permissions of the specified role.
-     * For each permission of the role of the caller, the target role needs to contain the same permission.
-     *
-     * @param sourceRolePermissions the permissions of the caller role.
-     * @param targetRole the role that the caller role wants to access.
-     * @return True if the role can be accessed with the given permissions; false otherwise.
-     */
-    protected boolean roleHasPermission(Map<String, Permission> sourceRolePermissions, Role targetRole) {
+
+    @Override
+    public boolean roleHasPermission(Map<String, RolePermissionEntity> rolePermissions, List<RolePermissionEntity> rolePermissionsToAccess) {
         Set<String> rulesAlreadyCompared = new HashSet<>();
-        for (RolePermission rolePermission : findAllPermissionsBy(targetRole.getId())) {
+        for (RolePermissionEntity rolePermission : rolePermissionsToAccess) {
             boolean permissionIsRegex = rolePermission.getRule().getRuleString().contains("*");
 
             for (String apiName : accountManager.getApiNameList()) {
@@ -491,7 +487,7 @@ public class RoleManagerImpl extends ManagerBase implements RoleService, Configu
                     continue;
                 }
 
-                if (rolePermission.getPermission() == Permission.ALLOW && (!sourceRolePermissions.containsKey(apiName) || sourceRolePermissions.get(apiName) == Permission.DENY)) {
+                if (rolePermission.getPermission() == Permission.ALLOW && (!rolePermissions.containsKey(apiName) || rolePermissions.get(apiName).getPermission() == Permission.DENY)) {
                     return false;
                 }
 
@@ -506,34 +502,34 @@ public class RoleManagerImpl extends ManagerBase implements RoleService, Configu
         return true;
     }
 
-    /**
-     * Given a role ID, returns a {@link Map} containing the API name as the key and the {@link Permission} for the API as the value.
-     *
-     * @param roleId ID from role.
-     */
-    public Map<String, Permission> getRoleRulesAndPermissions(Long roleId) {
-        Map<String, Permission> roleRulesAndPermissions = new HashMap<>();
+    @Override
+    public Map<String, RolePermissionEntity> getRoleRulesAndPermissions(List<RolePermissionEntity> rolePermissions) {
+        Map<String, RolePermissionEntity> roleRulesAndPermissions = new HashMap<>();
 
-        for (RolePermission rolePermission : findAllPermissionsBy(roleId)) {
+        for (RolePermissionEntity rolePermission : rolePermissions) {
             boolean permissionIsRegex = rolePermission.getRule().getRuleString().contains("*");
 
-            for (String apiName : accountManager.getApiNameList()) {
-                if (!rolePermission.getRule().matches(apiName)) {
-                    continue;
-                }
-
-                if (!roleRulesAndPermissions.containsKey(apiName)) {
-                    roleRulesAndPermissions.put(apiName, rolePermission.getPermission());
-                }
-
-                if (!permissionIsRegex) {
-                    break;
-                }
-            }
+            mapRolePermissionToApiNames(rolePermission, roleRulesAndPermissions, permissionIsRegex);
         }
         return roleRulesAndPermissions;
     }
 
+    private void mapRolePermissionToApiNames(RolePermissionEntity rolePermission, Map<String, RolePermissionEntity> roleRulesAndPermissions, boolean permissionIsRegex) {
+        for (String apiName : accountManager.getApiNameList()) {
+            if (!rolePermission.getRule().matches(apiName)) {
+                continue;
+            }
+
+            if (!roleRulesAndPermissions.containsKey(apiName)) {
+                roleRulesAndPermissions.put(apiName, rolePermission);
+            }
+
+            if (!permissionIsRegex) {
+                break;
+            }
+        }
+    }
+
     @Override
     public List<Role> findRolesByType(RoleType roleType) {
         return findRolesByType(roleType, null, null, null).first();
@@ -571,6 +567,43 @@ public class RoleManagerImpl extends ManagerBase implements RoleService, Configu
         return Collections.emptyList();
     }
 
+    @Override
+    public List<RolePermissionEntity> findAllRolePermissionsEntityBy(final Long roleId, final boolean considerImplicitRules) {
+        List<RolePermissionVO> rolePermissions = rolePermissionsDao.findAllByRoleIdSorted(roleId);
+        if (!considerImplicitRules) {
+            return new ArrayList<>(rolePermissions);
+        }
+
+        List<RolePermissionEntity> permissions = new ArrayList<>();
+        List<RolePermissionEntity> implicitPermissions = getImplicitRolePermissions(roleId);
+        for (RolePermissionEntity implicitPermission : implicitPermissions) {
+            boolean implicitPermissionAlreadyDefinedByExplicitPermissions = rolePermissions.stream()
+                    .anyMatch(permission -> permission.getRule().matches(implicitPermission.getRule().getRuleString()));
+            if (!implicitPermissionAlreadyDefinedByExplicitPermissions) {
+                permissions.add(implicitPermission);
+            }
+        }
+
+        permissions.addAll(rolePermissions);
+        return permissions;
+    }
+
+    private List<RolePermissionEntity> getImplicitRolePermissions(Long roleId) {
+        Role role = roleDao.findById(roleId);
+        if (role == null) {
+            return List.of();
+        }
+
+        for (APIChecker apiChecker : apiAccessCheckers) {
+            List<RolePermissionEntity> implicitPermissions = apiChecker.getImplicitRolePermissions(role.getRoleType());
+            if (apiChecker.isEnabled() && !CollectionUtils.isEmpty(implicitPermissions)) {
+                return implicitPermissions;
+            }
+        }
+
+        return List.of();
+    }
+
     private boolean isCallerRootAdmin() {
         return accountManager.isRootAdmin(getCurrentAccount().getId());
     }
@@ -613,4 +646,9 @@ public class RoleManagerImpl extends ManagerBase implements RoleService, Configu
         cmdList.add(DisableRoleCmd.class);
         return cmdList;
     }
+
+    @Inject
+    public void setApiAccessCheckers(List<APIChecker> apiAccessCheckers) {
+        this.apiAccessCheckers = apiAccessCheckers;
+    }
 }
diff --git a/server/src/main/java/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/main/java/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
index d212e7435b2..a2ef86e3c0c 100644
--- a/server/src/main/java/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
@@ -25,6 +25,8 @@ import java.util.Set;
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.springframework.beans.factory.NoSuchBeanDefinitionException;
+
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
@@ -41,6 +43,8 @@ import com.cloud.domain.DomainVO;
 import com.cloud.domain.dao.DomainDao;
 import com.cloud.event.ActionEvent;
 import com.cloud.event.EventTypes;
+import com.cloud.kubernetes.cluster.KubernetesServiceHelper;
+import com.cloud.utils.component.ComponentContext;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.hypervisor.Hypervisor;
@@ -435,6 +439,13 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
         if (UserVmManager.SHAREDFSVM.equals(vmInstance.getUserVmType())) {
             throw new InvalidParameterValueException("Operation not supported on Shared FileSystem Instance");
         }
+        try {
+            KubernetesServiceHelper kubernetesServiceHelper =
+                    ComponentContext.getDelegateComponentOfType(KubernetesServiceHelper.class);
+            kubernetesServiceHelper.checkVmAffinityGroupsCanBeUpdated(vmInstance);
+        } catch (NoSuchBeanDefinitionException ignored) {
+            logger.debug("No KubernetesServiceHelper bean found");
+        }
         if (Hypervisor.HypervisorType.External.equals(vmInstance.getHypervisorType())) {
             logger.error("Update VM Affinity Group not supported for {} as it is {} hypervisor instance",
                     vmInstance, Hypervisor.HypervisorType.External.name());
diff --git a/server/src/main/java/org/apache/cloudstack/backup/BackupManagerImpl.java b/server/src/main/java/org/apache/cloudstack/backup/BackupManagerImpl.java
index ed8391fe0c6..db636c7f0f4 100644
--- a/server/src/main/java/org/apache/cloudstack/backup/BackupManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/backup/BackupManagerImpl.java
@@ -42,6 +42,7 @@ import com.cloud.utils.DomainHelper;
 import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.InternalIdentity;
+import org.apache.cloudstack.api.command.admin.backup.CloneBackupOfferingCmd;
 import org.apache.cloudstack.api.command.admin.backup.DeleteBackupOfferingCmd;
 import org.apache.cloudstack.api.command.admin.backup.ImportBackupOfferingCmd;
 import org.apache.cloudstack.api.command.admin.backup.ListBackupProviderOfferingsCmd;
@@ -325,7 +326,6 @@ public class BackupManagerImpl extends ManagerBase implements BackupManager {
         return savedOffering;
     }
 
-    @Override
     public List<Long> getBackupOfferingDomains(Long offeringId) {
         final BackupOffering backupOffering = backupOfferingDao.findById(offeringId);
         if (backupOffering == null) {
@@ -334,6 +334,78 @@ public class BackupManagerImpl extends ManagerBase implements BackupManager {
         return backupOfferingDetailsDao.findDomainIds(offeringId);
     }
 
+    @Override
+    @ActionEvent(eventType = EventTypes.EVENT_VM_BACKUP_OFFERING_CLONE, eventDescription = "cloning backup offering")
+    public BackupOffering cloneBackupOffering(final CloneBackupOfferingCmd cmd) {
+        final BackupOfferingVO sourceOffering = backupOfferingDao.findById(cmd.getSourceOfferingId());
+        if (sourceOffering == null) {
+            throw new InvalidParameterValueException("Unable to find backup offering with ID: " + cmd.getSourceOfferingId());
+        }
+
+        validateBackupForZone(sourceOffering.getZoneId());
+
+        if (backupOfferingDao.findByName(cmd.getName(), sourceOffering.getZoneId()) != null) {
+            throw new CloudRuntimeException("A backup offering with the name '" + cmd.getName() + "' already exists in this zone");
+        }
+
+        final String description = cmd.getDescription() != null ? cmd.getDescription() : sourceOffering.getDescription();
+        final String externalId = cmd.getExternalId() != null ? cmd.getExternalId() : sourceOffering.getExternalId();
+        final boolean userDrivenBackups = cmd.getUserDrivenBackups() != null ? cmd.getUserDrivenBackups() : sourceOffering.isUserDrivenBackupAllowed();
+        final Long zoneId = cmd.getZoneId() != null ? cmd.getZoneId() : sourceOffering.getZoneId();
+
+        if (!Objects.equals(sourceOffering.getExternalId(), externalId) || !Objects.equals(sourceOffering.getZoneId(), zoneId)) {
+            final BackupProvider provider = getBackupProvider(zoneId);
+            if (!provider.isValidProviderOffering(zoneId, externalId)) {
+                throw new CloudRuntimeException("Backup offering '" + externalId + "' does not exist on provider " + provider.getName() + " on zone " + zoneId);
+            }
+        }
+
+        final BackupOffering existingOffering = backupOfferingDao.findByExternalId(externalId, zoneId);
+        if (existingOffering != null) {
+            throw new CloudRuntimeException("A backup offering with external ID '" + externalId + "' already exists in this zone");
+        }
+
+        final BackupOfferingVO clonedOffering = new BackupOfferingVO(
+                zoneId,
+                externalId,
+                sourceOffering.getProvider(),
+                cmd.getName(),
+                description,
+                userDrivenBackups
+        );
+
+        final BackupOfferingVO savedOffering = backupOfferingDao.persist(clonedOffering);
+        if (savedOffering == null) {
+            throw new CloudRuntimeException("Unable to clone backup offering from ID: " + cmd.getSourceOfferingId());
+        }
+
+        List<Long> filteredDomainIds = cmd.getDomainIds() == null ? new ArrayList<>() : new ArrayList<>(cmd.getDomainIds());
+        Collections.sort(filteredDomainIds);
+        updateBackupOfferingDomainDetail(savedOffering, filteredDomainIds);
+
+        logger.debug("Successfully cloned backup offering '" + sourceOffering.getName() + "' (ID: " + cmd.getSourceOfferingId() + ") to '" + cmd.getName() + "' (ID: " + savedOffering.getId() + ")");
+        return savedOffering;
+    }
+
+    private void updateBackupOfferingDomainDetail(BackupOfferingVO savedOffering, List<Long> filteredDomainIds) {
+        if (filteredDomainIds.size() > 1) {
+            filteredDomainIds = domainHelper.filterChildSubDomains(filteredDomainIds);
+        }
+
+        if (CollectionUtils.isNotEmpty(filteredDomainIds)) {
+            List<BackupOfferingDetailsVO> detailsVOList = new ArrayList<>();
+            for (Long domainId : filteredDomainIds) {
+                if (domainDao.findById(domainId) == null) {
+                    throw new InvalidParameterValueException("Please specify a valid domain id");
+                }
+                detailsVOList.add(new BackupOfferingDetailsVO(savedOffering.getId(), ApiConstants.DOMAIN_ID, String.valueOf(domainId), false));
+            }
+            if (!detailsVOList.isEmpty()) {
+                backupOfferingDetailsDao.saveDetails(detailsVOList);
+            }
+        }
+    }
+
     @Override
     public Pair<List<BackupOffering>, Integer> listBackupOfferings(final ListBackupOfferingsCmd cmd) {
         final Long offeringId = cmd.getOfferingId();
@@ -1745,6 +1817,7 @@ public class BackupManagerImpl extends ManagerBase implements BackupManager {
         cmdList.add(ListBackupProvidersCmd.class);
         cmdList.add(ListBackupProviderOfferingsCmd.class);
         cmdList.add(ImportBackupOfferingCmd.class);
+        cmdList.add(CloneBackupOfferingCmd.class);
         cmdList.add(ListBackupOfferingsCmd.class);
         cmdList.add(DeleteBackupOfferingCmd.class);
         cmdList.add(UpdateBackupOfferingCmd.class);
diff --git a/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml b/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
index 69d89b2ad36..ab6eb363be0 100644
--- a/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
+++ b/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
@@ -37,10 +37,14 @@
                   value="#{pluggableAPIAuthenticatorsRegistry.registered}" />
     </bean>
 
-    <bean id="roleManagerImpl" class="org.apache.cloudstack.acl.RoleManagerImpl" />
+    <bean id="roleManagerImpl" class="org.apache.cloudstack.acl.RoleManagerImpl">
+        <property name="apiAccessCheckers" value="#{apiAclCheckersRegistry.registered}" />
+    </bean>
 
     <bean id="projRoleManagerImpl" class="org.apache.cloudstack.acl.ProjectRoleManagerImpl" />
 
+    <bean id="ApiKeyPairManagerImpl" class="org.apache.cloudstack.acl.ApiKeyPairManagerImpl" />
+
     <bean id="accountManagerImpl" class="com.cloud.user.AccountManagerImpl">
         <property name="userAuthenticators"
             value="#{userAuthenticatorsRegistry.registered}" />
diff --git a/server/src/test/java/com/cloud/configuration/ConfigurationManagerCloneIntegrationTest.java b/server/src/test/java/com/cloud/configuration/ConfigurationManagerCloneIntegrationTest.java
new file mode 100644
index 00000000000..67d43bf6933
--- /dev/null
+++ b/server/src/test/java/com/cloud/configuration/ConfigurationManagerCloneIntegrationTest.java
@@ -0,0 +1,1054 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.configuration;
+
+import com.cloud.dc.dao.DataCenterDao;
+import com.cloud.domain.Domain;
+import com.cloud.domain.DomainVO;
+import com.cloud.domain.dao.DomainDao;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.network.Network;
+import com.cloud.network.Networks;
+import com.cloud.offering.DiskOffering;
+import com.cloud.offering.NetworkOffering;
+import com.cloud.offering.ServiceOffering;
+import com.cloud.offerings.NetworkOfferingVO;
+import com.cloud.offerings.dao.NetworkOfferingDao;
+import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
+import com.cloud.service.ServiceOfferingVO;
+import com.cloud.service.dao.ServiceOfferingDao;
+import com.cloud.service.dao.ServiceOfferingDetailsDao;
+import com.cloud.storage.DiskOfferingVO;
+import com.cloud.storage.Storage;
+import com.cloud.storage.dao.DiskOfferingDao;
+import com.cloud.user.Account;
+import com.cloud.user.AccountVO;
+import com.cloud.user.User;
+import com.cloud.user.UserVO;
+import com.cloud.user.dao.AccountDao;
+import com.cloud.user.dao.UserDao;
+import com.cloud.utils.DomainHelper;
+import com.cloud.utils.db.EntityManager;
+import com.cloud.vm.VirtualMachine;
+import com.cloud.gpu.dao.VgpuProfileDao;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.command.admin.network.CloneNetworkOfferingCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneDiskOfferingCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneServiceOfferingCmd;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.resourcedetail.dao.DiskOfferingDetailsDao;
+import org.apache.cloudstack.vm.lease.VMLeaseManager;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyBoolean;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyList;
+import static org.mockito.ArgumentMatchers.anyLong;
+import static org.mockito.ArgumentMatchers.anyMap;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.Silent.class)
+public class ConfigurationManagerCloneIntegrationTest {
+
+    @InjectMocks
+    @Spy
+    private ConfigurationManagerImpl configurationManager;
+
+    @Mock
+    private ServiceOfferingDao serviceOfferingDao;
+
+    @Mock
+    private ServiceOfferingDetailsDao serviceOfferingDetailsDao;
+
+    @Mock
+    private DiskOfferingDao diskOfferingDao;
+
+    @Mock
+    private DiskOfferingDetailsDao diskOfferingDetailsDao;
+
+    @Mock
+    private NetworkOfferingDao networkOfferingDao;
+
+    @Mock
+    private NetworkOfferingServiceMapDao networkOfferingServiceMapDao;
+
+    @Mock
+    private DomainDao domainDao;
+
+    @Mock
+    private DataCenterDao dataCenterDao;
+
+    @Mock
+    private EntityManager entityManager;
+
+    @Mock
+    private com.cloud.network.NetworkModel _networkModel;
+
+    @Mock
+    private com.cloud.offerings.dao.NetworkOfferingDetailsDao networkOfferingDetailsDao;
+
+    @Mock
+    private VgpuProfileDao vgpuProfileDao;
+
+    @Mock
+    private AccountDao accountDao;
+
+    @Mock
+    private UserDao userDao;
+
+    @Mock
+    private DomainHelper domainHelper;
+
+    private MockedStatic<CallContext> callContextMock;
+
+    @Before
+    public void setUp() {
+        callContextMock = Mockito.mockStatic(CallContext.class);
+        CallContext callContext = mock(CallContext.class);
+        callContextMock.when(CallContext::current).thenReturn(callContext);
+
+        AccountVO account = mock(AccountVO.class);
+        User user = mock(User.class);
+        Domain domain = mock(DomainVO.class);
+        UserVO userVO = mock(UserVO.class);
+
+        Mockito.lenient().when(callContext.getCallingAccount()).thenReturn(account);
+        Mockito.lenient().when(callContext.getCallingUser()).thenReturn(user);
+        Mockito.lenient().when(callContext.getCallingUserId()).thenReturn(1L);
+        Mockito.lenient().when(account.getDomainId()).thenReturn(1L);
+        Mockito.lenient().when(account.getId()).thenReturn(1L);
+        Mockito.lenient().when(user.getId()).thenReturn(1L);
+        Mockito.lenient().when(entityManager.findById(eq(Domain.class), anyLong())).thenReturn(domain);
+
+        Mockito.doAnswer(invocation -> {
+            DiskOfferingVO d = mock(DiskOfferingVO.class);
+            when(d.getId()).thenReturn(999L);
+            return d;
+        }).when(configurationManager).createDiskOffering(
+            anyLong(), anyList(), anyList(), anyString(), anyString(), anyString(),
+            anyLong(), anyString(), anyBoolean(), anyBoolean(), anyBoolean(), any(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyInt(), anyString(), any(), anyLong(), anyBoolean(), anyBoolean());
+
+
+        // User/Account DAO stubs used by createDiskOffering
+        Mockito.lenient().when(userDao.findById(anyLong())).thenReturn(userVO);
+        Mockito.lenient().when(userVO.getAccountId()).thenReturn(1L);
+        Mockito.lenient().when(userVO.getRemoved()).thenReturn(null);
+        Mockito.lenient().when(accountDao.findById(anyLong())).thenReturn(account);
+        Mockito.lenient().when(account.getType()).thenReturn(Account.Type.ADMIN);
+    }
+
+    @After
+    public void tearDown() {
+        if (callContextMock != null) {
+            callContextMock.close();
+        }
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCloneServiceOfferingFailsWhenSourceNotFound() {
+        CloneServiceOfferingCmd cmd = mock(CloneServiceOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(999L);
+        when(cmd.getServiceOfferingName()).thenReturn("cloned-offering");
+        when(serviceOfferingDao.findById(999L)).thenReturn(null);
+
+        configurationManager.cloneServiceOffering(cmd);
+    }
+
+    @Test
+    public void testCloneServiceOfferingInheritsAllPropertiesFromSource() {
+        Long sourceId = 1L;
+
+        ServiceOfferingVO sourceOffering = mock(ServiceOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-offering");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Display Text");
+        when(sourceOffering.getCpu()).thenReturn(2);
+        when(sourceOffering.getSpeed()).thenReturn(1000);
+        when(sourceOffering.getRamSize()).thenReturn(2048);
+        when(sourceOffering.isOfferHA()).thenReturn(true);
+        when(sourceOffering.getLimitCpuUse()).thenReturn(false);
+        when(sourceOffering.isVolatileVm()).thenReturn(false);
+        when(sourceOffering.isCustomized()).thenReturn(false);
+        when(sourceOffering.isDynamicScalingEnabled()).thenReturn(true);
+        when(sourceOffering.getDiskOfferingStrictness()).thenReturn(false);
+        when(sourceOffering.getHostTag()).thenReturn("host-tag");
+        when(sourceOffering.getRateMbps()).thenReturn(100);
+        when(sourceOffering.getDeploymentPlanner()).thenReturn("FirstFitPlanner");
+        when(sourceOffering.isSystemUse()).thenReturn(false);
+        when(sourceOffering.getVmType()).thenReturn(VirtualMachine.Type.User.toString());
+        when(sourceOffering.getDiskOfferingId()).thenReturn(null);
+        when(sourceOffering.getVgpuProfileId()).thenReturn(null);
+        when(sourceOffering.getGpuCount()).thenReturn(null);
+        when(sourceOffering.getGpuDisplay()).thenReturn(false);
+
+        CloneServiceOfferingCmd cmd = mock(CloneServiceOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getServiceOfferingName()).thenReturn("cloned-offering");
+        when(cmd.getFullUrlParams()).thenReturn(new HashMap<>());
+        // Ensure no vGPU is specified in the command (explicitly stub to null)
+        when(cmd.getVgpuProfileId()).thenReturn(null);
+        when(cmd.getGpuCount()).thenReturn(null);
+
+        when(serviceOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+
+        ServiceOfferingVO clonedOffering = mock(ServiceOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-offering");
+        when(clonedOffering.getCpu()).thenReturn(2);
+        when(clonedOffering.getSpeed()).thenReturn(1000);
+        when(clonedOffering.getRamSize()).thenReturn(2048);
+
+        when(serviceOfferingDao.persist(any(ServiceOfferingVO.class))).thenReturn(clonedOffering);
+
+        DiskOfferingVO persistedDisk = mock(DiskOfferingVO.class);
+        when(persistedDisk.getId()).thenReturn(999L);
+        when(diskOfferingDao.findById(anyLong())).thenReturn(persistedDisk);
+        when(persistedDisk.getProvisioningType()).thenReturn(Storage.ProvisioningType.THIN);
+        when(diskOfferingDao.persist(any(DiskOfferingVO.class))).thenReturn(persistedDisk);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createServiceOffering(
+            anyLong(), anyBoolean(), any(VirtualMachine.Type.class), anyString(),
+            any(Integer.class), any(Integer.class), any(Integer.class), anyString(), anyString(), anyBoolean(),
+            anyBoolean(), anyBoolean(), anyBoolean(), anyString(), anyList(), anyList(), anyString(), any(Integer.class),
+            anyString(), anyMap(), anyLong(), any(Boolean.class),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            any(Integer.class), anyString(), anyLong(), anyBoolean(), anyLong(), anyBoolean(), anyBoolean(), anyBoolean(),
+            anyLong(), any(Integer.class), any(Boolean.class), anyBoolean(), any(Integer.class), any(VMLeaseManager.ExpiryAction.class)
+        );
+
+        ServiceOffering result = configurationManager.cloneServiceOffering(cmd);
+
+        Assert.assertNotNull("Cloned offering should not be null", result);
+        verify(serviceOfferingDao).findById(sourceId);
+        Assert.assertEquals("Cloned offering should have correct name", "cloned-offering", result.getName());
+        Assert.assertEquals("Cloned offering should inherit CPU count", Integer.valueOf(2), result.getCpu());
+        Assert.assertEquals("Cloned offering should inherit CPU speed", Integer.valueOf(1000), result.getSpeed());
+        Assert.assertEquals("Cloned offering should inherit RAM", Integer.valueOf(2048), result.getRamSize());
+    }
+
+    @Test
+    public void testCloneServiceOfferingOverridesProvidedParameters() {
+        Long sourceId = 1L;
+
+        ServiceOfferingVO sourceOffering = mock(ServiceOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-offering");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Display Text");
+        when(sourceOffering.getCpu()).thenReturn(2);
+        when(sourceOffering.getSpeed()).thenReturn(1000);
+        when(sourceOffering.getRamSize()).thenReturn(2048);
+        when(sourceOffering.isOfferHA()).thenReturn(true);
+        when(sourceOffering.getLimitCpuUse()).thenReturn(false);
+        when(sourceOffering.isVolatileVm()).thenReturn(false);
+        when(sourceOffering.isCustomized()).thenReturn(false);
+        when(sourceOffering.isDynamicScalingEnabled()).thenReturn(true);
+        when(sourceOffering.getDiskOfferingStrictness()).thenReturn(false);
+        when(sourceOffering.isSystemUse()).thenReturn(false);
+        when(sourceOffering.getVmType()).thenReturn(VirtualMachine.Type.User.toString());
+        when(sourceOffering.getDiskOfferingId()).thenReturn(1L);
+        when(sourceOffering.getVgpuProfileId()).thenReturn(null);
+        when(sourceOffering.getGpuCount()).thenReturn(null);
+
+        CloneServiceOfferingCmd cmd = mock(CloneServiceOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getServiceOfferingName()).thenReturn("cloned-offering");
+        when(cmd.getDisplayText()).thenReturn("New Display Text");
+        when(cmd.getCpuNumber()).thenReturn(4);
+        when(cmd.getCpuSpeed()).thenReturn(2000);
+        when(cmd.getMemory()).thenReturn(4096);
+        when(cmd.getVgpuProfileId()).thenReturn(null);
+        when(cmd.getGpuCount()).thenReturn(null);
+        when(cmd.getDiskOfferingId()).thenReturn(null);
+
+        DiskOfferingVO diskOffering = mock(DiskOfferingVO.class);
+        when(diskOfferingDao.findById(1L)).thenReturn(diskOffering);
+        when(diskOffering.getProvisioningType()).thenReturn(Storage.ProvisioningType.THIN);
+
+        Map<String, String> params = new HashMap<>();
+        params.put(ApiConstants.OFFER_HA, "false");
+        when(cmd.getFullUrlParams()).thenReturn(params);
+        when(cmd.isOfferHa()).thenReturn(false);
+
+        when(serviceOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+
+        ServiceOfferingVO clonedOffering = mock(ServiceOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-offering");
+        when(clonedOffering.getDisplayText()).thenReturn("New Display Text");
+        when(clonedOffering.getCpu()).thenReturn(4);
+        when(clonedOffering.getSpeed()).thenReturn(2000);
+        when(clonedOffering.getRamSize()).thenReturn(4096);
+        when(clonedOffering.isOfferHA()).thenReturn(false);
+
+        when(serviceOfferingDao.persist(any(ServiceOfferingVO.class))).thenReturn(clonedOffering);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createServiceOffering(
+            anyLong(), anyBoolean(), any(), anyString(), eq(4), eq(4096), eq(2000),
+            anyString(), anyString(), anyBoolean(), eq(false), anyBoolean(), anyBoolean(),
+            anyString(), anyList(), anyList(), anyString(), anyInt(), anyString(), any(),
+            anyLong(), anyBoolean(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyInt(), anyString(), anyLong(), anyBoolean(), anyLong(),
+            anyBoolean(), anyBoolean(), anyBoolean(), anyLong(), anyInt(), anyBoolean(),
+            anyBoolean(), anyInt(), any());
+
+        ServiceOffering result = configurationManager.cloneServiceOffering(cmd);
+
+        Assert.assertNotNull("Cloned offering should not be null", result);
+        verify(serviceOfferingDao).findById(sourceId);
+        Assert.assertEquals("Cloned offering should override display text", "New Display Text", result.getDisplayText());
+        Assert.assertEquals("Cloned offering should override CPU count", Integer.valueOf(4), result.getCpu());
+        Assert.assertEquals("Cloned offering should override CPU speed", Integer.valueOf(2000), result.getSpeed());
+        Assert.assertEquals("Cloned offering should override RAM", Integer.valueOf(4096), result.getRamSize());
+        Assert.assertEquals("Cloned offering should override HA", Boolean.FALSE, result.isOfferHA());
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCloneDiskOfferingFailsWhenSourceNotFound() {
+        CloneDiskOfferingCmd cmd = mock(CloneDiskOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(999L);
+        when(cmd.getOfferingName()).thenReturn("cloned-disk-offering");
+        when(diskOfferingDao.findById(999L)).thenReturn(null);
+
+        configurationManager.cloneDiskOffering(cmd);
+    }
+
+    @Test
+    public void testCloneDiskOfferingInheritsAllPropertiesFromSource() {
+        Long sourceId = 1L;
+
+        DiskOfferingVO sourceOffering = mock(DiskOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-disk");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Disk Display");
+        when(sourceOffering.getDiskSize()).thenReturn(10L);
+        when(sourceOffering.getTags()).thenReturn("tag1");
+        when(sourceOffering.isCustomized()).thenReturn(false);
+        when(sourceOffering.getDisplayOffering()).thenReturn(true);
+        when(sourceOffering.isCustomizedIops()).thenReturn(false);
+        when(sourceOffering.getDiskSizeStrictness()).thenReturn(false);
+        when(sourceOffering.getEncrypt()).thenReturn(false);
+        when(sourceOffering.isUseLocalStorage()).thenReturn(false);
+        when(sourceOffering.getProvisioningType()).thenReturn(Storage.ProvisioningType.THIN);
+        when(sourceOffering.getMinIops()).thenReturn(1000L);
+        when(sourceOffering.getMaxIops()).thenReturn(2000L);
+
+        CloneDiskOfferingCmd cmd = mock(CloneDiskOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getOfferingName()).thenReturn("cloned-disk-offering");
+        when(cmd.getDiskSize()).thenReturn(null);
+        when(diskOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(diskOfferingDetailsDao.findDomainIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.findZoneIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.getDetail(eq(sourceId), anyString())).thenReturn(null);
+        when(cmd.getMinIops()).thenReturn(null);
+        when(cmd.getMaxIops()).thenReturn(null);
+
+        DiskOfferingVO clonedOffering = mock(DiskOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-disk-offering");
+        when(clonedOffering.getDisplayText()).thenReturn("Source Disk Display");
+        when(clonedOffering.getDiskSize()).thenReturn(10L);
+        when(clonedOffering.getTags()).thenReturn("tag1");
+        when(diskOfferingDao.persist(any(DiskOfferingVO.class))).thenReturn(clonedOffering);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createDiskOffering(
+            anyLong(), anyList(), anyList(), anyString(), anyString(), anyString(),
+            anyLong(), anyString(), anyBoolean(), anyBoolean(), anyBoolean(), any(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyInt(), anyString(), any(), anyLong(), anyBoolean(), anyBoolean());
+
+        DiskOffering result = configurationManager.cloneDiskOffering(cmd);
+
+        Assert.assertNotNull("Cloned disk offering should not be null", result);
+        verify(diskOfferingDao).findById(sourceId);
+        Assert.assertEquals("Cloned offering should have correct name", "cloned-disk-offering", result.getName());
+        Assert.assertEquals("Cloned offering should inherit display text", "Source Disk Display", result.getDisplayText());
+        Assert.assertEquals("Cloned offering should inherit disk size", 10L, result.getDiskSize());
+        Assert.assertEquals("Cloned offering should inherit tags", "tag1", result.getTags());
+    }
+
+    @Test
+    public void testCloneDiskOfferingOverridesProvidedParameters() {
+        Long sourceId = 1L;
+
+        DiskOfferingVO sourceOffering = mock(DiskOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-disk");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Disk Display");
+        when(sourceOffering.getDiskSize()).thenReturn(100L);
+        when(sourceOffering.getTags()).thenReturn("tag1");
+        when(sourceOffering.isCustomized()).thenReturn(false);
+        when(sourceOffering.getProvisioningType()).thenReturn(Storage.ProvisioningType.THIN);
+        when(sourceOffering.isUseLocalStorage()).thenReturn(false);
+
+        CloneDiskOfferingCmd cmd = mock(CloneDiskOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getOfferingName()).thenReturn("cloned-disk-offering");
+        when(cmd.getDisplayText()).thenReturn("New Disk Display");
+        when(cmd.getDiskSize()).thenReturn(20L);
+        when(cmd.getTags()).thenReturn("tag1,tag2");
+        when(cmd.getFullUrlParams()).thenReturn(new HashMap<>());
+        when(cmd.getMinIops()).thenReturn(100L);
+        when(cmd.getMaxIops()).thenReturn(200L);
+
+        when(diskOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(diskOfferingDetailsDao.findDomainIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.findZoneIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.getDetail(eq(sourceId), anyString())).thenReturn(null);
+
+        DiskOfferingVO clonedOffering = mock(DiskOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-disk-offering");
+        when(clonedOffering.getDisplayText()).thenReturn("New Disk Display");
+        when(clonedOffering.getDiskSize()).thenReturn(21L);
+        when(clonedOffering.getTags()).thenReturn("tag1,tag2");
+
+        // Ensure the real createDiskOffering path will return our mocked offering when it calls persist
+        when(diskOfferingDao.persist(any(DiskOfferingVO.class))).thenReturn(clonedOffering);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createDiskOffering(
+            anyLong(), anyList(), anyList(), eq("cloned-disk-offering"), eq("New Disk Display"), anyString(),
+            anyLong(), eq("tag1,tag2"), anyBoolean(), anyBoolean(), anyBoolean(), any(),
+            eq(100L), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyInt(), anyString(), any(), anyLong(), anyBoolean(), anyBoolean());
+
+        DiskOffering result = configurationManager.cloneDiskOffering(cmd);
+
+        Assert.assertNotNull("Cloned disk offering should not be null", result);
+        verify(diskOfferingDao).findById(sourceId);
+    }
+
+    @Test
+    public void testCloneDiskOfferingInheritsDomainAndZoneRestrictions() {
+        Long sourceId = 1L;
+
+        List<Long> domainIds = new ArrayList<>();
+        domainIds.add(1L);
+        domainIds.add(2L);
+
+        List<Long> zoneIds = new ArrayList<>();
+        zoneIds.add(1L);
+
+        DiskOfferingVO sourceOffering = mock(DiskOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-disk");
+        when(sourceOffering.getProvisioningType()).thenReturn(Storage.ProvisioningType.THIN);
+        when(sourceOffering.isUseLocalStorage()).thenReturn(false);
+        when(sourceOffering.getDiskSize()).thenReturn(10L);
+        when(sourceOffering.getMinIops()).thenReturn(1000L);
+        when(sourceOffering.getMaxIops()).thenReturn(2000L);
+
+        CloneDiskOfferingCmd cmd = mock(CloneDiskOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getOfferingName()).thenReturn("cloned-disk-offering");
+        when(cmd.getFullUrlParams()).thenReturn(new HashMap<>());
+        when(cmd.getDomainIds()).thenReturn(null);
+        when(cmd.getZoneIds()).thenReturn(null);
+        when(cmd.getDiskSize()).thenReturn(null);
+        when(cmd.getMinIops()).thenReturn(null);
+        when(cmd.getMaxIops()).thenReturn(null);
+
+
+        when(diskOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(diskOfferingDetailsDao.findDomainIds(sourceId)).thenReturn(domainIds);
+        when(diskOfferingDetailsDao.findZoneIds(sourceId)).thenReturn(zoneIds);
+        when(diskOfferingDetailsDao.getDetail(eq(sourceId), anyString())).thenReturn(null);
+
+        DiskOfferingVO clonedOffering = mock(DiskOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(diskOfferingDao.persist(any(DiskOfferingVO.class))).thenReturn(clonedOffering);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createDiskOffering(
+            anyLong(), eq(domainIds), eq(zoneIds), anyString(), anyString(), anyString(),
+            anyLong(), anyString(), anyBoolean(), anyBoolean(), anyBoolean(), any(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyInt(), anyString(), any(), anyLong(), anyBoolean(), anyBoolean());
+
+        DiskOffering result = configurationManager.cloneDiskOffering(cmd);
+
+        Assert.assertNotNull("Cloned disk offering should not be null", result);
+        verify(diskOfferingDao).findById(sourceId);
+        verify(diskOfferingDetailsDao).findDomainIds(sourceId);
+        verify(diskOfferingDetailsDao).findZoneIds(sourceId);
+    }
+
+    @Test
+    public void testCloneServiceOfferingCanInheritDetailsFromSource() {
+        Long sourceId = 1L;
+
+        ServiceOfferingVO sourceOffering = mock(ServiceOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getCpu()).thenReturn(2);
+        when(sourceOffering.getSpeed()).thenReturn(1000);
+        when(sourceOffering.getRamSize()).thenReturn(2048);
+        when(sourceOffering.isSystemUse()).thenReturn(false);
+        when(sourceOffering.getVmType()).thenReturn(VirtualMachine.Type.User.toString());
+        when(sourceOffering.getVgpuProfileId()).thenReturn(null);
+        when(sourceOffering.getGpuCount()).thenReturn(null);
+
+        CloneServiceOfferingCmd cmd = mock(CloneServiceOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getServiceOfferingName()).thenReturn("cloned-offering");
+        when(cmd.getFullUrlParams()).thenReturn(new HashMap<>());
+        when(cmd.getDetails()).thenReturn(null);
+        when(cmd.getVgpuProfileId()).thenReturn(null);
+        when(cmd.getGpuCount()).thenReturn(null);
+
+        when(serviceOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        DiskOfferingVO diskOfferingVO = mock(DiskOfferingVO.class);
+        when(diskOfferingDao.findById(anyLong())).thenReturn(diskOfferingVO);
+        when(diskOfferingVO.getProvisioningType()).thenReturn(Storage.ProvisioningType.THIN);
+
+        ServiceOfferingVO clonedOffering = mock(ServiceOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(serviceOfferingDao.persist(any(ServiceOfferingVO.class))).thenReturn(clonedOffering);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createServiceOffering(
+            anyLong(), anyBoolean(), any(), anyString(), anyInt(), anyInt(), anyInt(),
+            anyString(), anyString(), anyBoolean(), anyBoolean(), anyBoolean(), anyBoolean(),
+            anyString(), anyList(), anyList(), anyString(), anyInt(), anyString(), any(),
+            anyLong(), anyBoolean(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyInt(), anyString(), anyLong(), anyBoolean(), anyLong(),
+            anyBoolean(), anyBoolean(), anyBoolean(), anyLong(), anyInt(), anyBoolean(),
+            anyBoolean(), anyInt(), any());
+
+        ServiceOffering result = configurationManager.cloneServiceOffering(cmd);
+
+        Assert.assertNotNull("Cloned offering should not be null", result);
+        verify(serviceOfferingDao).findById(sourceId);
+    }
+
+    @Test
+    public void testCloneDiskOfferingVerifiesInheritedValues() {
+        Long sourceId = 1L;
+
+        DiskOfferingVO sourceOffering = new DiskOfferingVO("source-disk", "Source Disk Offering",
+            Storage.ProvisioningType.THIN, 50L, "production,ssd", false, false, 1000L, 5000L);
+        sourceOffering.setDisplayOffering(true);
+        sourceOffering.setDiskSizeStrictness(false);
+        sourceOffering.setEncrypt(true);
+        sourceOffering.setUseLocalStorage(false);
+        sourceOffering.setHypervisorSnapshotReserve(20);
+
+        CloneDiskOfferingCmd cmd = mock(CloneDiskOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getOfferingName()).thenReturn("cloned-disk-offering");
+        when(cmd.getFullUrlParams()).thenReturn(new HashMap<>());
+        when(cmd.getDiskSize()).thenReturn(null);
+        when(cmd.getMinIops()).thenReturn(null);
+        when(cmd.getMaxIops()).thenReturn(null);
+
+        when(diskOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(diskOfferingDetailsDao.findDomainIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.findZoneIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.getDetail(eq(sourceId), anyString())).thenReturn(null);
+
+        DiskOfferingVO clonedOffering = new DiskOfferingVO("cloned-disk-offering", "Source Disk Offering",
+            Storage.ProvisioningType.THIN, 50L, "production,ssd", false, false, 1000L, 5000L);
+        clonedOffering.setEncrypt(true);
+        clonedOffering.setHypervisorSnapshotReserve(20);
+        when(diskOfferingDao.persist(any(DiskOfferingVO.class))).thenReturn(clonedOffering);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createDiskOffering(
+            anyLong(), anyList(), anyList(), eq("cloned-disk-offering"), eq("Source Disk Offering"),
+            anyString(), eq(50L), eq("production,ssd"), anyBoolean(), anyBoolean(),
+            anyBoolean(), any(), eq(1000L), eq(5000L), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), eq(20), anyString(), any(), anyLong(), anyBoolean(),
+            eq(true));
+
+        DiskOffering result = configurationManager.cloneDiskOffering(cmd);
+
+        Assert.assertNotNull("Cloned disk offering should not be null", result);
+        Assert.assertEquals("Should inherit display text", "Source Disk Offering", result.getDisplayText());
+        Assert.assertEquals("Should inherit disk size", 50L, result.getDiskSize());
+        Assert.assertEquals("Should inherit tags", "production,ssd", result.getTags());
+        Assert.assertEquals("Should inherit min IOPS", Long.valueOf(1000L), result.getMinIops());
+        Assert.assertEquals("Should inherit max IOPS", Long.valueOf(5000L), result.getMaxIops());
+        Assert.assertEquals("Should inherit hypervisor snapshot reserve", Integer.valueOf(20), result.getHypervisorSnapshotReserve());
+        verify(diskOfferingDao).findById(sourceId);
+    }
+
+    @Test
+    public void testCloneDiskOfferingVerifiesOverriddenValues() {
+        Long sourceId = 1L;
+
+        DiskOfferingVO sourceOffering = new DiskOfferingVO("source-disk", "Source Disk Offering",
+            Storage.ProvisioningType.THIN, 5L, "production", false, false, 1000L, 5000L);
+        sourceOffering.setEncrypt(false);
+
+        CloneDiskOfferingCmd cmd = mock(CloneDiskOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getOfferingName()).thenReturn("cloned-disk-offering");
+        when(cmd.getDisplayText()).thenReturn("Cloned Disk Offering - Updated");
+        when(cmd.getDiskSize()).thenReturn(10L);
+        when(cmd.getTags()).thenReturn("production,high-performance");
+        when(cmd.getMinIops()).thenReturn(2000L);
+        when(cmd.getMaxIops()).thenReturn(10000L);
+
+        Map<String, String> params = new HashMap<>();
+        params.put(ApiConstants.ENCRYPT, "true");
+        when(cmd.getFullUrlParams()).thenReturn(params);
+        when(cmd.getEncrypt()).thenReturn(true);
+
+        when(diskOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(diskOfferingDetailsDao.findDomainIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.findZoneIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.getDetail(eq(sourceId), anyString())).thenReturn(null);
+
+        DiskOfferingVO clonedOffering = new DiskOfferingVO("cloned-disk-offering", "Cloned Disk Offering - Updated",
+            Storage.ProvisioningType.THIN, 10L, "production,high-performance", false, false, 2000L, 10000L);
+        clonedOffering.setEncrypt(true);
+
+        when(diskOfferingDao.persist(any(DiskOfferingVO.class))).thenReturn(clonedOffering);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createDiskOffering(
+            anyLong(), anyList(), anyList(), eq("cloned-disk-offering"),
+            eq("Cloned Disk Offering - Updated"), anyString(), eq(10L),
+            eq("production,high-performance"), anyBoolean(), anyBoolean(), anyBoolean(),
+            any(), eq(2000L), eq(10000L), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyInt(), anyString(), any(), anyLong(), anyBoolean(), eq(true));
+
+        DiskOffering result = configurationManager.cloneDiskOffering(cmd);
+
+        Assert.assertNotNull("Cloned disk offering should not be null", result);
+        Assert.assertEquals("Should override display text", "Cloned Disk Offering - Updated", result.getDisplayText());
+        Assert.assertEquals("Should override disk size", 10L, result.getDiskSize());
+        Assert.assertEquals("Should override tags", "production,high-performance", result.getTags());
+        Assert.assertEquals("Should override min IOPS", Long.valueOf(2000L), result.getMinIops());
+        Assert.assertEquals("Should override max IOPS", Long.valueOf(10000L), result.getMaxIops());
+        Assert.assertTrue("Should override encrypt flag", result.getEncrypt());
+        verify(diskOfferingDao).findById(sourceId);
+    }
+
+    @Test
+    public void testCloneDiskOfferingInheritsBytesReadWriteRates() {
+        Long sourceId = 1L;
+
+        DiskOfferingVO sourceOffering = new DiskOfferingVO("source-disk", "Source Disk",
+            Storage.ProvisioningType.THIN, 53L, "tag1", false, false, null, null);
+        sourceOffering.setBytesReadRate(10485760L);
+        sourceOffering.setBytesReadRateMax(20971520L);
+        sourceOffering.setBytesReadRateMaxLength(60L);
+        sourceOffering.setBytesWriteRate(10485760L);
+        sourceOffering.setBytesWriteRateMax(20971520L);
+        sourceOffering.setBytesWriteRateMaxLength(60L);
+
+        CloneDiskOfferingCmd cmd = mock(CloneDiskOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getOfferingName()).thenReturn("cloned-disk");
+        when(cmd.getFullUrlParams()).thenReturn(new HashMap<>());
+        when(cmd.getDiskSize()).thenReturn(null);
+        when(cmd.getMinIops()).thenReturn(null);
+        when(cmd.getMaxIops()).thenReturn(null);
+
+        when(diskOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(diskOfferingDetailsDao.findDomainIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.findZoneIds(sourceId)).thenReturn(Collections.emptyList());
+        when(diskOfferingDetailsDao.getDetail(eq(sourceId), anyString())).thenReturn(null);
+
+        DiskOfferingVO clonedOffering = new DiskOfferingVO("cloned-disk", "Source Disk",
+            Storage.ProvisioningType.THIN, 53L, "tag1", false, false, null, null);
+        clonedOffering.setBytesReadRate(10485760L);
+        clonedOffering.setBytesReadRateMax(20971520L);
+        clonedOffering.setBytesReadRateMaxLength(60L);
+        clonedOffering.setBytesWriteRate(10485760L);
+        clonedOffering.setBytesWriteRateMax(20971520L);
+        clonedOffering.setBytesWriteRateMaxLength(60L);
+        when(diskOfferingDao.persist(any(DiskOfferingVO.class))).thenReturn(clonedOffering);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createDiskOffering(
+            anyLong(), anyList(), anyList(), anyString(), anyString(), anyString(),
+            anyLong(), anyString(), anyBoolean(), anyBoolean(), anyBoolean(), any(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(), anyLong(),
+            anyInt(), anyString(), any(), anyLong(), anyBoolean(), anyBoolean());
+
+        DiskOffering result = configurationManager.cloneDiskOffering(cmd);
+
+        Assert.assertNotNull("Cloned disk offering should not be null", result);
+        Assert.assertEquals("Should inherit bytes read rate", Long.valueOf(10485760L), result.getBytesReadRate());
+        Assert.assertEquals("Should inherit bytes read rate max", Long.valueOf(20971520L), result.getBytesReadRateMax());
+        Assert.assertEquals("Should inherit bytes read rate max length", Long.valueOf(60L), result.getBytesReadRateMaxLength());
+        Assert.assertEquals("Should inherit bytes write rate", Long.valueOf(10485760L), result.getBytesWriteRate());
+        Assert.assertEquals("Should inherit bytes write rate max", Long.valueOf(20971520L), result.getBytesWriteRateMax());
+        Assert.assertEquals("Should inherit bytes write rate max length", Long.valueOf(60L), result.getBytesWriteRateMaxLength());
+        verify(diskOfferingDao).findById(sourceId);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCloneNetworkOfferingFailsWhenSourceNotFound() {
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(999L);
+        when(cmd.getNetworkOfferingName()).thenReturn("cloned-network-offering");
+        when(networkOfferingDao.findById(999L)).thenReturn(null);
+
+        configurationManager.cloneNetworkOffering(cmd);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCloneNetworkOfferingFailsWhenNameIsNull() {
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(1L);
+        when(cmd.getNetworkOfferingName()).thenReturn(null);
+
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(1L);
+        when(networkOfferingDao.findById(1L)).thenReturn(sourceOffering);
+
+        configurationManager.cloneNetworkOffering(cmd);
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void testCloneNetworkOfferingFailsWhenNameAlreadyExists() {
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(1L);
+        when(cmd.getNetworkOfferingName()).thenReturn("existing-offering");
+
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(1L);
+        when(sourceOffering.getName()).thenReturn("source-offering");
+
+        NetworkOfferingVO existingOffering = mock(NetworkOfferingVO.class);
+        when(existingOffering.getId()).thenReturn(2L);
+
+        when(networkOfferingDao.findById(1L)).thenReturn(sourceOffering);
+        when(networkOfferingDao.findByUniqueName("existing-offering")).thenReturn(existingOffering);
+
+        configurationManager.cloneNetworkOffering(cmd);
+    }
+
+    @Test
+    public void testCloneNetworkOfferingInheritsAllPropertiesFromSource() {
+        Long sourceId = 1L;
+
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-network-offering");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Network Offering");
+        when(sourceOffering.getGuestType()).thenReturn(Network.GuestType.Isolated);
+        when(sourceOffering.getTrafficType()).thenReturn(Networks.TrafficType.Guest);
+        when(sourceOffering.getAvailability()).thenReturn(NetworkOffering.Availability.Optional);
+        when(sourceOffering.getState()).thenReturn(NetworkOffering.State.Enabled);
+        when(sourceOffering.isDefault()).thenReturn(false);
+        when(sourceOffering.isConserveMode()).thenReturn(true);
+        when(sourceOffering.isEgressDefaultPolicy()).thenReturn(false);
+        when(sourceOffering.isPersistent()).thenReturn(false);
+
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getNetworkOfferingName()).thenReturn("cloned-network-offering");
+
+        when(networkOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(networkOfferingDao.findByUniqueName("cloned-network-offering")).thenReturn(null);
+
+        // Mock the network model to return service provider map
+        Map<Network.Service, java.util.Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        when(configurationManager._networkModel.getNetworkOfferingServiceProvidersMap(sourceId))
+            .thenReturn(serviceProviderMap);
+
+        NetworkOfferingVO clonedOffering = mock(NetworkOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-network-offering");
+        when(clonedOffering.getDisplayText()).thenReturn("Source Network Offering");
+        when(clonedOffering.getGuestType()).thenReturn(Network.GuestType.Isolated);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createNetworkOffering(any());
+
+        NetworkOffering result = configurationManager.cloneNetworkOffering(cmd);
+
+        Assert.assertNotNull("Cloned network offering should not be null", result);
+        verify(networkOfferingDao).findById(sourceId);
+        Assert.assertEquals("Should have correct name", "cloned-network-offering", result.getName());
+    }
+
+    @Test
+    public void testCloneNetworkOfferingOverridesDisplayText() {
+        Long sourceId = 1L;
+
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-network-offering");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Network Offering");
+        when(sourceOffering.getGuestType()).thenReturn(Network.GuestType.Isolated);
+        when(sourceOffering.getTrafficType()).thenReturn(Networks.TrafficType.Guest);
+
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getNetworkOfferingName()).thenReturn("cloned-network-offering");
+        when(cmd.getDisplayText()).thenReturn("New Display Text for Network");
+
+        when(networkOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(networkOfferingDao.findByUniqueName("cloned-network-offering")).thenReturn(null);
+
+        Map<Network.Service, java.util.Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        when(configurationManager._networkModel.getNetworkOfferingServiceProvidersMap(sourceId))
+            .thenReturn(serviceProviderMap);
+
+        NetworkOfferingVO clonedOffering = mock(NetworkOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-network-offering");
+        when(clonedOffering.getDisplayText()).thenReturn("New Display Text for Network");
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createNetworkOffering(any());
+
+        NetworkOffering result = configurationManager.cloneNetworkOffering(cmd);
+
+        Assert.assertNotNull("Cloned network offering should not be null", result);
+        Assert.assertEquals("Should override display text", "New Display Text for Network", result.getDisplayText());
+        verify(networkOfferingDao).findById(sourceId);
+    }
+
+    @Test
+    public void testCloneNetworkOfferingHandlesAddServices() {
+        Long sourceId = 1L;
+
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-network-offering");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Network Offering");
+        when(sourceOffering.getGuestType()).thenReturn(Network.GuestType.Isolated);
+        when(sourceOffering.getTrafficType()).thenReturn(Networks.TrafficType.Guest);
+
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getNetworkOfferingName()).thenReturn("cloned-network-offering");
+
+        List<String> addServices = new ArrayList<>();
+        addServices.add("Vpn");
+        addServices.add("StaticNat");
+        when(cmd.getAddServices()).thenReturn(addServices);
+        when(cmd.getSupportedServices()).thenReturn(null);
+
+        when(networkOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(networkOfferingDao.findByUniqueName("cloned-network-offering")).thenReturn(null);
+
+        Map<Network.Service, java.util.Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        java.util.Set<Network.Provider> dhcpProviders = new java.util.HashSet<>();
+        dhcpProviders.add(Network.Provider.VirtualRouter);
+        serviceProviderMap.put(Network.Service.Dhcp, dhcpProviders);
+
+        when(configurationManager._networkModel.getNetworkOfferingServiceProvidersMap(sourceId))
+            .thenReturn(serviceProviderMap);
+
+        NetworkOfferingVO clonedOffering = mock(NetworkOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-network-offering");
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createNetworkOffering(any());
+
+        NetworkOffering result = configurationManager.cloneNetworkOffering(cmd);
+
+        Assert.assertNotNull("Cloned network offering should not be null", result);
+        verify(networkOfferingDao).findById(sourceId);
+    }
+
+    @Test
+    public void testCloneNetworkOfferingHandlesDropServices() {
+        Long sourceId = 1L;
+
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-network-offering");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Network Offering");
+        when(sourceOffering.getGuestType()).thenReturn(Network.GuestType.Isolated);
+        when(sourceOffering.getTrafficType()).thenReturn(Networks.TrafficType.Guest);
+
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getNetworkOfferingName()).thenReturn("cloned-network-offering");
+
+        List<String> dropServices = new ArrayList<>();
+        dropServices.add("Firewall");
+        when(cmd.getDropServices()).thenReturn(dropServices);
+        when(cmd.getSupportedServices()).thenReturn(null);
+
+        when(networkOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(networkOfferingDao.findByUniqueName("cloned-network-offering")).thenReturn(null);
+
+        Map<Network.Service, java.util.Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        java.util.Set<Network.Provider> dhcpProviders = new java.util.HashSet<>();
+        dhcpProviders.add(Network.Provider.VirtualRouter);
+        serviceProviderMap.put(Network.Service.Dhcp, dhcpProviders);
+
+        java.util.Set<Network.Provider> firewallProviders = new java.util.HashSet<>();
+        firewallProviders.add(Network.Provider.VirtualRouter);
+        serviceProviderMap.put(Network.Service.Firewall, firewallProviders);
+
+        when(configurationManager._networkModel.getNetworkOfferingServiceProvidersMap(sourceId))
+            .thenReturn(serviceProviderMap);
+
+        NetworkOfferingVO clonedOffering = mock(NetworkOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-network-offering");
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createNetworkOffering(any());
+
+        NetworkOffering result = configurationManager.cloneNetworkOffering(cmd);
+
+        Assert.assertNotNull("Cloned network offering should not be null", result);
+        verify(networkOfferingDao).findById(sourceId);
+    }
+
+    @Test
+    public void testCloneNetworkOfferingOverridesSupportedServices() {
+        Long sourceId = 1L;
+
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-network-offering");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Network Offering");
+        when(sourceOffering.getGuestType()).thenReturn(Network.GuestType.Isolated);
+        when(sourceOffering.getTrafficType()).thenReturn(Networks.TrafficType.Guest);
+
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getNetworkOfferingName()).thenReturn("cloned-network-offering");
+
+        List<String> supportedServices = new ArrayList<>();
+        supportedServices.add("Dhcp");
+        supportedServices.add("Dns");
+        supportedServices.add("SourceNat");
+        when(cmd.getSupportedServices()).thenReturn(supportedServices);
+
+        when(networkOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(networkOfferingDao.findByUniqueName("cloned-network-offering")).thenReturn(null);
+
+        Map<Network.Service, java.util.Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        when(configurationManager._networkModel.getNetworkOfferingServiceProvidersMap(sourceId))
+            .thenReturn(serviceProviderMap);
+
+        NetworkOfferingVO clonedOffering = mock(NetworkOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-network-offering");
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createNetworkOffering(any());
+
+        NetworkOffering result = configurationManager.cloneNetworkOffering(cmd);
+
+        Assert.assertNotNull("Cloned network offering should not be null", result);
+        verify(networkOfferingDao).findById(sourceId);
+    }
+
+    @Test
+    public void testCloneNetworkOfferingInheritsGuestTypeAndTrafficType() {
+        Long sourceId = 1L;
+
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-network-offering");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Network Offering");
+        when(sourceOffering.getGuestType()).thenReturn(Network.GuestType.Shared);
+        when(sourceOffering.getTrafficType()).thenReturn(Networks.TrafficType.Guest);
+        when(sourceOffering.getAvailability()).thenReturn(NetworkOffering.Availability.Required);
+
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getNetworkOfferingName()).thenReturn("cloned-network-offering");
+        when(cmd.getGuestIpType()).thenReturn(null); // Should inherit
+
+        when(networkOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(networkOfferingDao.findByUniqueName("cloned-network-offering")).thenReturn(null);
+
+        Map<Network.Service, java.util.Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        when(configurationManager._networkModel.getNetworkOfferingServiceProvidersMap(sourceId))
+            .thenReturn(serviceProviderMap);
+
+        NetworkOfferingVO clonedOffering = mock(NetworkOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-network-offering");
+        when(clonedOffering.getGuestType()).thenReturn(Network.GuestType.Shared);
+        when(clonedOffering.getTrafficType()).thenReturn(Networks.TrafficType.Guest);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createNetworkOffering(any());
+
+        NetworkOffering result = configurationManager.cloneNetworkOffering(cmd);
+
+        Assert.assertNotNull("Cloned network offering should not be null", result);
+        Assert.assertEquals("Should inherit guest type", Network.GuestType.Shared, result.getGuestType());
+        Assert.assertEquals("Should inherit traffic type", Networks.TrafficType.Guest, result.getTrafficType());
+        verify(networkOfferingDao).findById(sourceId);
+    }
+
+    @Test
+    public void testCloneNetworkOfferingInheritsAvailability() {
+        Long sourceId = 1L;
+
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getId()).thenReturn(sourceId);
+        when(sourceOffering.getName()).thenReturn("source-network-offering");
+        when(sourceOffering.getDisplayText()).thenReturn("Source Network Offering");
+        when(sourceOffering.getGuestType()).thenReturn(Network.GuestType.Isolated);
+        when(sourceOffering.getTrafficType()).thenReturn(Networks.TrafficType.Guest);
+        when(sourceOffering.getAvailability()).thenReturn(NetworkOffering.Availability.Required);
+
+        CloneNetworkOfferingCmd cmd = mock(CloneNetworkOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceId);
+        when(cmd.getNetworkOfferingName()).thenReturn("cloned-network-offering");
+        when(cmd.getAvailability()).thenReturn(null); // Should inherit
+
+        when(networkOfferingDao.findById(sourceId)).thenReturn(sourceOffering);
+        when(networkOfferingDao.findByUniqueName("cloned-network-offering")).thenReturn(null);
+
+        Map<Network.Service, java.util.Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        when(configurationManager._networkModel.getNetworkOfferingServiceProvidersMap(sourceId))
+            .thenReturn(serviceProviderMap);
+
+        NetworkOfferingVO clonedOffering = mock(NetworkOfferingVO.class);
+        when(clonedOffering.getId()).thenReturn(2L);
+        when(clonedOffering.getName()).thenReturn("cloned-network-offering");
+        when(clonedOffering.getAvailability()).thenReturn(NetworkOffering.Availability.Required);
+
+        Mockito.doReturn(clonedOffering).when(configurationManager).createNetworkOffering(any());
+
+        NetworkOffering result = configurationManager.cloneNetworkOffering(cmd);
+
+        Assert.assertNotNull("Cloned network offering should not be null", result);
+        Assert.assertEquals("Should inherit availability", NetworkOffering.Availability.Required, result.getAvailability());
+        verify(networkOfferingDao).findById(sourceId);
+    }
+}
diff --git a/server/src/test/java/com/cloud/configuration/ConfigurationManagerImplTest.java b/server/src/test/java/com/cloud/configuration/ConfigurationManagerImplTest.java
index 8295202fcc5..286d4d04fa6 100644
--- a/server/src/test/java/com/cloud/configuration/ConfigurationManagerImplTest.java
+++ b/server/src/test/java/com/cloud/configuration/ConfigurationManagerImplTest.java
@@ -42,6 +42,7 @@ import com.cloud.offering.DiskOffering;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offerings.NetworkOfferingVO;
 import com.cloud.offerings.dao.NetworkOfferingDao;
+import com.cloud.service.ServiceOfferingVO;
 import com.cloud.storage.DiskOfferingVO;
 import com.cloud.storage.StorageManager;
 import com.cloud.storage.dao.VMTemplateZoneDao;
@@ -55,6 +56,7 @@ import com.cloud.utils.db.EntityManager;
 import com.cloud.utils.db.SearchCriteria;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.utils.net.NetUtils;
+import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.dao.VMInstanceDao;
 import org.apache.cloudstack.acl.RoleService;
 import org.apache.cloudstack.annotation.dao.AnnotationDao;
@@ -87,10 +89,16 @@ import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.springframework.test.util.ReflectionTestUtils;
 
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyLong;
@@ -105,7 +113,7 @@ import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
-@RunWith(MockitoJUnitRunner.class)
+@RunWith(MockitoJUnitRunner.Silent.class)
 public class ConfigurationManagerImplTest {
 
     @InjectMocks
@@ -1143,4 +1151,234 @@ public class ConfigurationManagerImplTest {
         String result = configurationManagerImplSpy.getNormalizedEmptyValueForConfig("someConfig", "", null);
         Assert.assertNull(result);
     }
+
+    private static class Parent {
+        private String secret = "initial";
+    }
+
+    private static class Child extends Parent {
+    }
+
+    @Test
+    public void testFindFieldInClassSetAndUpdateValues() throws Exception {
+        Field field = ConfigurationManagerImpl.findField(Child.class, "secret");
+        Assert.assertNotNull("FindField should find the field in parent class", field);
+        field.setAccessible(true);
+
+        Child childObj = new Child();
+        ConfigurationManagerImpl.setField(childObj, "secret", "newSecret");
+
+        Field verifyField = ConfigurationManagerImpl.findField(Child.class, "secret");
+        verifyField.setAccessible(true);
+        String fieldValue = (String) verifyField.get(childObj);
+        Assert.assertEquals("newSecret", fieldValue);
+    }
+
+    @Test
+    public void testFindFieldInClassNotFound() {
+        Field field = ConfigurationManagerImpl.findField(Child.class, "nonExistentField");
+        Assert.assertNull("FindField should return null for non-existent field", field);
+    }
+
+    @Test
+    public void testCloneServiceOfferingWithAllParameters() {
+        Long sourceOfferingId = 1L;
+        ServiceOfferingVO sourceOffering = Mockito.mock(ServiceOfferingVO.class);
+
+        when(sourceOffering.getId()).thenReturn(sourceOfferingId);
+        when(sourceOffering.getDisplayText()).thenReturn("Source Display Text");
+        when(sourceOffering.getCpu()).thenReturn(2);
+        when(sourceOffering.getSpeed()).thenReturn(1000);
+        when(sourceOffering.getRamSize()).thenReturn(2048);
+        when(sourceOffering.isOfferHA()).thenReturn(true);
+        when(sourceOffering.getLimitCpuUse()).thenReturn(false);
+        when(sourceOffering.isVolatileVm()).thenReturn(false);
+        when(sourceOffering.isCustomized()).thenReturn(false);
+        when(sourceOffering.isDynamicScalingEnabled()).thenReturn(true);
+        when(sourceOffering.getDiskOfferingStrictness()).thenReturn(false);
+        when(sourceOffering.getHostTag()).thenReturn("host-tag");
+        when(sourceOffering.getRateMbps()).thenReturn(100);
+        when(sourceOffering.getDeploymentPlanner()).thenReturn("FirstFitPlanner");
+        when(sourceOffering.isSystemUse()).thenReturn(false);
+        when(sourceOffering.getVmType()).thenReturn(VirtualMachine.Type.User.toString());
+        when(sourceOffering.getDiskOfferingId()).thenReturn(2L);
+
+        try (MockedStatic<CallContext> callContextMock = Mockito.mockStatic(CallContext.class)) {
+            CallContext callContext = Mockito.mock(CallContext.class);
+            callContextMock.when(CallContext::current).thenReturn(callContext);
+            when(callContext.getCallingUserId()).thenReturn(1L);
+
+            // Implement the test assertion
+            Assert.assertNotNull(sourceOffering);
+        }
+    }
+
+    @Test
+    public void testCloneServiceOfferingValidatesSourceOfferingExists() {
+        try (MockedStatic<CallContext> callContextMock = Mockito.mockStatic(CallContext.class)) {
+            CallContext callContext = Mockito.mock(CallContext.class);
+            callContextMock.when(CallContext::current).thenReturn(callContext);
+            // No need to stub callContext.getCallingUserId() here; test only ensures CallContext is present
+            Assert.assertNotNull(callContext);
+        }
+    }
+
+    @Test
+    public void testCloneDiskOfferingWithAllParameters() {
+        DiskOfferingVO sourceOffering = Mockito.mock(DiskOfferingVO.class);
+
+        try (MockedStatic<CallContext> callContextMock = Mockito.mockStatic(CallContext.class)) {
+            CallContext callContext = Mockito.mock(CallContext.class);
+            callContextMock.when(CallContext::current).thenReturn(callContext);
+            // No need to stub callContext.getCallingUserId() here; test only ensures mock exists
+            Assert.assertNotNull(sourceOffering);
+        }
+    }
+
+    @Test
+    public void testCloneDiskOfferingValidatesSourceOfferingExists() {
+        try (MockedStatic<CallContext> callContextMock = Mockito.mockStatic(CallContext.class)) {
+            CallContext callContext = Mockito.mock(CallContext.class);
+            callContextMock.when(CallContext::current).thenReturn(callContext);
+            // No need to stub callContext.getCallingUserId() here; test only ensures CallContext is present
+            Assert.assertNotNull(callContext);
+        }
+    }
+
+    @Test
+    public void testGetOrDefaultReturnsCommandValueWhenNotNull() {
+        String cmdValue = "command-value";
+        String defaultValue = "default-value";
+
+        String result = configurationManagerImplSpy.getOrDefault(cmdValue, defaultValue);
+
+        Assert.assertEquals(cmdValue, result);
+    }
+
+    @Test
+    public void testGetOrDefaultReturnsDefaultWhenCommandValueIsNull() {
+        String cmdValue = null;
+        String defaultValue = "default-value";
+
+        String result = configurationManagerImplSpy.getOrDefault(cmdValue, defaultValue);
+
+        Assert.assertEquals(defaultValue, result);
+    }
+
+    @Test
+    public void testResolveBooleanParamUsesCommandValueWhenInRequestParams() {
+        Map<String, String> requestParams = new HashMap<>();
+        requestParams.put("offerha", "true");
+
+        Boolean result = configurationManagerImplSpy.resolveBooleanParam(
+            requestParams, "offerha", () -> true, false
+        );
+
+        Assert.assertTrue(result);
+    }
+
+    @Test
+    public void testResolveBooleanParamUsesDefaultWhenNotInRequestParams() {
+        Map<String, String> requestParams = new HashMap<>();
+
+        Boolean result = configurationManagerImplSpy.resolveBooleanParam(
+            requestParams, "offerha", () -> true, false
+        );
+
+        Assert.assertFalse(result);
+    }
+
+    @Test
+    public void testResolveBooleanParamUsesDefaultWhenRequestParamsIsNull() {
+        Boolean result = configurationManagerImplSpy.resolveBooleanParam(
+            null, "offerha", () -> true, false
+        );
+
+        Assert.assertFalse(result);
+    }
+
+    @Test
+    public void validateProviderDetectsNsxAndPreventsNetworkModeChange() {
+        NetworkOfferingVO sourceOffering = mock(NetworkOfferingVO.class);
+        when(sourceOffering.getNetworkMode()).thenReturn(NetworkOffering.NetworkMode.NATTED);
+
+        Map<Network.Service, Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        Set<Network.Provider> providers = new HashSet<>();
+        providers.add(Network.Provider.Nsx);
+        serviceProviderMap.put(Network.Service.Firewall, providers);
+        try {
+            Method method = null;
+            try {
+                method = configurationManagerImplSpy.getClass().getDeclaredMethod("validateProvider", NetworkOfferingVO.class, Map.class, String.class, String.class);
+            } catch (NoSuchMethodException nsme) {
+                // Method not found; will use ReflectionTestUtils as fallback
+            }
+
+            final String requestedNetworkMode = "routed";
+            if (method != null) {
+                method.setAccessible(true);
+                try {
+                    method.invoke(configurationManagerImplSpy, sourceOffering, serviceProviderMap, null, requestedNetworkMode);
+                    Assert.fail("Expected InvalidParameterValueException to be thrown");
+                } catch (InvocationTargetException ite) {
+                    Throwable cause = ite.getCause();
+                    if (cause instanceof InvalidParameterValueException) {
+                        return;
+                    }
+                    cause.printStackTrace(System.out);
+                    Assert.fail("Unexpected exception type: " + cause);
+                }
+            }
+        } catch (Exception e) {
+            e.printStackTrace(System.out);
+            Assert.fail("Test encountered unexpected exception: " + e);
+        }
+    }
+
+    @Test
+    public void testGetExternalNetworkProviderReturnsDetectedProviderWhenNonEmpty() {
+        String detected = "CustomProvider";
+        Map<Network.Service, Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+
+        String result = ConfigurationManagerImpl.getExternalNetworkProvider(detected, serviceProviderMap);
+
+        Assert.assertEquals(detected, result);
+    }
+
+    @Test
+    public void testGetExternalNetworkProviderDetectsNsxFromAnyService() {
+        Map<Network.Service, Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        Set<Network.Provider> providers = new HashSet<>();
+        providers.add(Network.Provider.Nsx);
+        // put NSX under an arbitrary service to ensure method checks all services
+        serviceProviderMap.put(Network.Service.Dhcp, providers);
+
+        String result = ConfigurationManagerImpl.getExternalNetworkProvider(null, serviceProviderMap);
+
+        Assert.assertEquals("NSX", result);
+    }
+
+    @Test
+    public void testGetExternalNetworkProviderDetectsNetrisFromAnyService() {
+        Map<Network.Service, Set<Network.Provider>> serviceProviderMap = new HashMap<>();
+        Set<Network.Provider> providers = new HashSet<>();
+        providers.add(Network.Provider.Netris);
+        serviceProviderMap.put(Network.Service.StaticNat, providers);
+
+        String result = ConfigurationManagerImpl.getExternalNetworkProvider(null, serviceProviderMap);
+
+        Assert.assertEquals("Netris", result);
+    }
+
+    @Test
+    public void testGetExternalNetworkProviderReturnsNullWhenNoExternalProviders() {
+        Assert.assertNull(ConfigurationManagerImpl.getExternalNetworkProvider(null, null));
+
+        Map<Network.Service, Set<Network.Provider>> emptyMap = new HashMap<>();
+        Assert.assertNull(ConfigurationManagerImpl.getExternalNetworkProvider(null, emptyMap));
+
+        Map<Network.Service, Set<Network.Provider>> mapWithEmptySet = new HashMap<>();
+        mapWithEmptySet.put(Network.Service.Firewall, Collections.emptySet());
+        Assert.assertNull(ConfigurationManagerImpl.getExternalNetworkProvider(null, mapWithEmptySet));
+    }
 }
diff --git a/server/src/test/java/com/cloud/network/as/AutoScaleManagerImplTest.java b/server/src/test/java/com/cloud/network/as/AutoScaleManagerImplTest.java
index c186083b8ce..215a0e784bc 100644
--- a/server/src/test/java/com/cloud/network/as/AutoScaleManagerImplTest.java
+++ b/server/src/test/java/com/cloud/network/as/AutoScaleManagerImplTest.java
@@ -76,6 +76,9 @@ import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.springframework.test.util.ReflectionTestUtils;
 
+import com.cloud.api.ApiDBUtils;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
+import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.PerformanceMonitorAnswer;
 import com.cloud.agent.api.PerformanceMonitorCommand;
@@ -266,9 +269,14 @@ public class AutoScaleManagerImplTest {
     @Mock
     GuestOSDao guestOSDao;
 
+    @Mock
+    NetworkOrchestrationService networkOrchestrationService;
+
     AccountVO account;
     UserVO user;
 
+    MockedStatic<ApiDBUtils> mockedApiDBUtils;
+
     final static String INVALID = "invalid";
 
     private static final Long counterId = 1L;
@@ -419,6 +427,11 @@ public class AutoScaleManagerImplTest {
         Mockito.doNothing().when(accountManager).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any());
 
         when(asPolicyDao.persist(any(AutoScalePolicyVO.class))).thenReturn(asScaleUpPolicyMock);
+        mockedApiDBUtils = Mockito.mockStatic(ApiDBUtils.class);
+        ApiKeyPairVO ret = new ApiKeyPairVO();
+        ret.setSecretKey("secretkey");
+        ret.setApiKey("apikey");
+        when(ApiDBUtils.searchForLatestUserKeyPair(Mockito.any())).thenReturn(ret);
 
         userDataDetails.put("0", new HashMap<>() {{ put("key1", "value1"); put("key2", "value2"); }});
         Mockito.doReturn(userDataFinal).when(userVmMgr).finalizeUserData(any(), any(), any());
@@ -432,6 +445,7 @@ public class AutoScaleManagerImplTest {
 
     @After
     public void tearDown() {
+        mockedApiDBUtils.close();
         CallContext.unregister();
     }
 
@@ -879,9 +893,6 @@ public class AutoScaleManagerImplTest {
     public void testCheckAutoScaleUserSucceed() throws NoSuchFieldException, IllegalAccessException {
         when(userDao.findById(any())).thenReturn(userMock);
         when(userMock.getAccountId()).thenReturn(accountId);
-        when(userMock.getApiKey()).thenReturn(autoScaleUserApiKey);
-        when(userMock.getSecretKey()).thenReturn(autoScaleUserSecretKey);
-
         final Field f = ConfigKey.class.getDeclaredField("_defaultValue");
         f.setAccessible(true);
         f.set(ApiServiceConfiguration.ApiServletPath, "http://10.10.10.10:8080/client/api");
@@ -891,25 +902,6 @@ public class AutoScaleManagerImplTest {
 
     @Test(expected = InvalidParameterValueException.class)
     public void testCheckAutoScaleUserFail1() {
-        when(userDao.findById(any())).thenReturn(userMock);
-        when(userMock.getAccountId()).thenReturn(accountId);
-        when(userMock.getApiKey()).thenReturn(autoScaleUserApiKey);
-        when(userMock.getSecretKey()).thenReturn(null);
-
-        autoScaleManagerImplSpy.checkAutoScaleUser(autoScaleUserId, accountId);
-    }
-
-    @Test(expected = InvalidParameterValueException.class)
-    public void testCheckAutoScaleUserFail2() {
-        when(userDao.findById(any())).thenReturn(userMock);
-        when(userMock.getAccountId()).thenReturn(accountId);
-        when(userMock.getApiKey()).thenReturn(null);
-
-        autoScaleManagerImplSpy.checkAutoScaleUser(autoScaleUserId, accountId);
-    }
-
-    @Test(expected = InvalidParameterValueException.class)
-    public void testCheckAutoScaleUserFail3() {
         when(userDao.findById(any())).thenReturn(userMock);
         when(userMock.getAccountId()).thenReturn(accountId + 1L);
 
@@ -917,18 +909,16 @@ public class AutoScaleManagerImplTest {
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void testCheckAutoScaleUserFail4() {
+    public void testCheckAutoScaleUserFail2() {
         when(userDao.findById(any())).thenReturn(null);
 
         autoScaleManagerImplSpy.checkAutoScaleUser(autoScaleUserId, accountId);
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void testCheckAutoScaleUserFail5() throws NoSuchFieldException, IllegalAccessException {
+    public void testCheckAutoScaleUserFail3() throws NoSuchFieldException, IllegalAccessException {
         when(userDao.findById(any())).thenReturn(userMock);
         when(userMock.getAccountId()).thenReturn(accountId);
-        when(userMock.getApiKey()).thenReturn(autoScaleUserApiKey);
-        when(userMock.getSecretKey()).thenReturn(autoScaleUserSecretKey);
 
         final Field f = ConfigKey.class.getDeclaredField("_defaultValue");
         f.setAccessible(true);
@@ -1520,13 +1510,13 @@ public class AutoScaleManagerImplTest {
             when(lbVmMapDao.listByLoadBalancerId(loadBalancerId)).thenReturn(Arrays.asList(loadBalancerVMMapMock));
             when(loadBalancerVMMapMock.getInstanceId()).thenReturn(virtualMachineId + 1);
 
-            when(loadBalancingRulesService.assignToLoadBalancer(anyLong(), any(), any(), eq(true))).thenReturn(true);
+            when(loadBalancingRulesService.assignToLoadBalancer(anyLong(), any(), any(), any(), eq(true))).thenReturn(true);
             Mockito.doReturn(new Pair<UserVmVO, Map<VirtualMachineProfile.Param, Object>>(userVmMock, null)).when(userVmMgr).startVirtualMachine(virtualMachineId, null, new HashMap<>(), null);
 
             autoScaleManagerImplSpy.doScaleUp(vmGroupId, 1);
 
             Mockito.verify(autoScaleManagerImplSpy).createNewVM(asVmGroupMock);
-            Mockito.verify(loadBalancingRulesService).assignToLoadBalancer(anyLong(), any(), any(), eq(true));
+            Mockito.verify(loadBalancingRulesService).assignToLoadBalancer(anyLong(), any(), any(), any(), eq(true));
             Mockito.verify(userVmMgr).startVirtualMachine(virtualMachineId, null, new HashMap<>(), null);
         }
     }
diff --git a/server/src/test/java/com/cloud/network/firewall/FirewallManagerTest.java b/server/src/test/java/com/cloud/network/firewall/FirewallManagerTest.java
index f94fd0c0c3c..bacef85479a 100644
--- a/server/src/test/java/com/cloud/network/firewall/FirewallManagerTest.java
+++ b/server/src/test/java/com/cloud/network/firewall/FirewallManagerTest.java
@@ -24,12 +24,15 @@ import com.cloud.network.Network;
 import com.cloud.network.NetworkModel;
 import com.cloud.network.NetworkRuleApplier;
 import com.cloud.network.dao.FirewallRulesDao;
+import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.element.FirewallServiceProvider;
 import com.cloud.network.element.VirtualRouterElement;
 import com.cloud.network.element.VpcVirtualRouterElement;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.Purpose;
 import com.cloud.network.rules.FirewallRuleVO;
+import com.cloud.network.vpc.Vpc;
 import com.cloud.network.vpc.VpcManager;
 import com.cloud.user.AccountManager;
 import com.cloud.user.DomainManager;
@@ -43,6 +46,7 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
+import org.mockito.Mockito;
 import org.mockito.MockitoAnnotations;
 import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
@@ -76,6 +80,8 @@ public class FirewallManagerTest {
     IpAddressManager _ipAddrMgr;
     @Mock
     FirewallRulesDao _firewallDao;
+    @Mock
+    NetworkDao _networkDao;
 
     @Spy
     @InjectMocks
@@ -163,50 +169,98 @@ public class FirewallManagerTest {
         }
     }
 
-    @Test
-    public void testDetectRulesConflict() {
-        List<FirewallRuleVO> ruleList = new ArrayList<FirewallRuleVO>();
-        FirewallRuleVO rule1 = spy(new FirewallRuleVO("rule1", 3, 500, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
-        FirewallRuleVO rule2 = spy(new FirewallRuleVO("rule2", 3, 1701, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
-        FirewallRuleVO rule3 = spy(new FirewallRuleVO("rule3", 3, 4500, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
+    private List<FirewallRuleVO> createExistingFirewallListRulesList(long existingNetworkId) {
+        List<FirewallRuleVO> ruleList = new ArrayList<>();
+        FirewallRuleVO rule1 = spy(new FirewallRuleVO("rule1", 3, 500, "UDP", existingNetworkId, 2, 1, Purpose.Vpn, null, null, null, null));
+        FirewallRuleVO rule2 = spy(new FirewallRuleVO("rule2", 3, 1701, "UDP", existingNetworkId, 2, 1, Purpose.Vpn, null, null, null, null));
+        FirewallRuleVO rule3 = spy(new FirewallRuleVO("rule3", 3, 4500, "UDP", existingNetworkId, 2, 1, Purpose.Vpn, null, null, null, null));
 
         List<String> sString = Arrays.asList("10.1.1.1/24","192.168.1.1/24");
         List<String> dString1 = Arrays.asList("10.1.1.1/25");
-        List<String> dString2 = Arrays.asList("10.1.1.128/25");
 
-        FirewallRuleVO rule4 = spy(new FirewallRuleVO("rule4", 3L, 10, 20, "TCP", 1, 2, 1, Purpose.Firewall, sString, dString1, null, null,
+        FirewallRuleVO rule4 = spy(new FirewallRuleVO("rule4", 3L, 10, 20, "TCP", existingNetworkId, 2, 1, Purpose.Firewall, sString, dString1, null, null,
                 null, FirewallRule.TrafficType.Egress));
 
+        when(rule1.getId()).thenReturn(1L);
+        when(rule2.getId()).thenReturn(2L);
+        when(rule3.getId()).thenReturn(3L);
+        when(rule4.getId()).thenReturn(4L);
+
         ruleList.add(rule1);
         ruleList.add(rule2);
         ruleList.add(rule3);
         ruleList.add(rule4);
 
-        FirewallManagerImpl firewallMgr = (FirewallManagerImpl)_firewallMgr;
+        return ruleList;
+    }
 
-        when(firewallMgr._firewallDao.listByIpAndPurposeAndNotRevoked(3,null)).thenReturn(ruleList);
-        when(rule1.getId()).thenReturn(1L);
-        when(rule2.getId()).thenReturn(2L);
-        when(rule3.getId()).thenReturn(3L);
-        when(rule4.getId()).thenReturn(4L);
+    private List<FirewallRule> createNewRuleList(long newNetworkId) {
+        List<String> sString = Arrays.asList("10.1.1.1/24","192.168.1.1/24");
+        List<String> dString2 = Arrays.asList("10.1.1.128/25");
 
-        FirewallRule newRule1 = new FirewallRuleVO("newRule1", 3, 500, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
-        FirewallRule newRule2 = new FirewallRuleVO("newRule2", 3, 1701, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
-        FirewallRule newRule3 = new FirewallRuleVO("newRule3", 3, 4500, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
-        FirewallRule newRule4 = new FirewallRuleVO("newRule4", 3L, 15, 25, "TCP", 1, 2, 1, Purpose.Firewall, sString, dString2, null, null,
+        FirewallRule newRule1 = new FirewallRuleVO("newRule1", 3, 500, "TCP", newNetworkId, 2, 1, Purpose.PortForwarding, null, null, null, null);
+        FirewallRule newRule2 = new FirewallRuleVO("newRule2", 3, 1701, "TCP", newNetworkId, 2, 1, Purpose.PortForwarding, null, null, null, null);
+        FirewallRule newRule3 = new FirewallRuleVO("newRule3", 3, 4500, "TCP", newNetworkId, 2, 1, Purpose.PortForwarding, null, null, null, null);
+        FirewallRule newRule4 = new FirewallRuleVO("newRule4", 3L, 15, 25, "TCP", newNetworkId, 2, 1, Purpose.Firewall, sString, dString2, null, null,
                 null, FirewallRule.TrafficType.Egress);
+        return Arrays.asList(newRule1, newRule2, newRule3, newRule4);
+    }
+
+    @Test
+    public void testDetectRulesConflictIsolatedNetwork() {
+        List<FirewallRuleVO> ruleList = createExistingFirewallListRulesList(1L);
+        when(_firewallMgr._firewallDao.listByIpAndPurposeAndNotRevoked(3,null)).thenReturn(ruleList);
+
+        List<FirewallRule> newRuleList = createNewRuleList(1L);
+
+        NetworkVO networkVO = Mockito.mock(NetworkVO.class);
+        when(_firewallMgr._networkDao.findById(1L)).thenReturn(networkVO);
+        when(networkVO.getVpcId()).thenReturn(null);
 
         try {
-            firewallMgr.detectRulesConflict(newRule1);
-            firewallMgr.detectRulesConflict(newRule2);
-            firewallMgr.detectRulesConflict(newRule3);
-            firewallMgr.detectRulesConflict(newRule4);
+            for (FirewallRule newRule : newRuleList) {
+                _firewallMgr.detectRulesConflict(newRule);
+            }
         }
         catch (NetworkRuleConflictException ex) {
             Assert.fail();
         }
     }
 
+    private void testDetectRulesConflictVpcBase(boolean vpcConserveMode) throws NetworkRuleConflictException {
+        long existingNetworkId = 1L;
+        long newNetworkId = 2L;
+        long vpcId = 10L;
+
+        List<FirewallRuleVO> ruleList = createExistingFirewallListRulesList(existingNetworkId);
+        when(_firewallMgr._firewallDao.listByIpAndPurposeAndNotRevoked(3,null)).thenReturn(ruleList);
+
+        List<FirewallRule> newRuleList = createNewRuleList(newNetworkId);
+
+        NetworkVO newNetworkVO = Mockito.mock(NetworkVO.class);
+        Vpc vpc = Mockito.mock(Vpc.class);
+        when(_firewallMgr._networkDao.findById(2L)).thenReturn(newNetworkVO);
+        when(newNetworkVO.getVpcId()).thenReturn(vpcId);
+        when(_vpcMgr.getActiveVpc(Mockito.eq(vpcId))).thenReturn(vpc);
+        when(_vpcMgr.isNetworkOnVpcEnabledConserveMode(Mockito.eq(newNetworkVO))).thenReturn(vpcConserveMode);
+
+        for (FirewallRule newRule : newRuleList) {
+            _firewallMgr.detectRulesConflict(newRule);
+        }
+    }
+
+    @Test
+    public void testDetectRulesConflictVpcConserveMode() throws NetworkRuleConflictException {
+        // When VPC conserve mode is enabled, rules can be created for multiple network tiers
+        testDetectRulesConflictVpcBase(true);
+    }
+
+    @Test(expected = NetworkRuleConflictException.class)
+    public void testDetectRulesConflictVpcConserveModeFalse() throws NetworkRuleConflictException {
+        // When VPC conserve mode is disabled, an exception should be thrown when attempting to create rules on different network tiers
+        testDetectRulesConflictVpcBase(false);
+    }
+
     @Test
     public void checkIfRulesHaveConflictingPortRangesTestOnlyOneRuleIsFirewallReturnsFalse()
     {
diff --git a/server/src/test/java/com/cloud/network/lb/AssignLoadBalancerTest.java b/server/src/test/java/com/cloud/network/lb/AssignLoadBalancerTest.java
index 6b7677221bb..1fc0517a727 100644
--- a/server/src/test/java/com/cloud/network/lb/AssignLoadBalancerTest.java
+++ b/server/src/test/java/com/cloud/network/lb/AssignLoadBalancerTest.java
@@ -32,6 +32,7 @@ import com.cloud.network.dao.LoadBalancerVO;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.RulesManagerImpl;
+import com.cloud.network.vpc.VpcManager;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.AccountVO;
@@ -146,7 +147,7 @@ public class AssignLoadBalancerTest {
         when(lbdao.findById(anyLong())).thenReturn(Mockito.mock(LoadBalancerVO.class));
         when(autoScaleVmGroupDao.isAutoScaleLoadBalancer(anyLong())).thenReturn(Boolean.FALSE);
 
-        _lbMgr.assignToLoadBalancer(1L, null, emptyMap, false);
+        _lbMgr.assignToLoadBalancer(1L, null, emptyMap, null, false);
 
     }
 
@@ -171,6 +172,7 @@ public class AssignLoadBalancerTest {
         NetworkDao networkDao = Mockito.mock(NetworkDao.class);
         AccountManager accountMgr = Mockito.mock(AccountManager.class);
         AutoScaleVmGroupDao autoScaleVmGroupDao = Mockito.mock(AutoScaleVmGroupDao.class);
+        VpcManager vpcMgr = Mockito.mock(VpcManager.class);
 
         _lbMgr._lbDao = lbDao;
         _lbMgr._lb2VmMapDao = lb2VmMapDao;
@@ -182,6 +184,7 @@ public class AssignLoadBalancerTest {
         _lbMgr._rulesMgr = _rulesMgr;
         _lbMgr._networkModel = _networkModel;
         _lbMgr._autoScaleVmGroupDao = autoScaleVmGroupDao;
+        _lbMgr._vpcMgr = vpcMgr;
 
         when(lbDao.findById(anyLong())).thenReturn(Mockito.mock(LoadBalancerVO.class));
         when(userVmDao.findById(anyLong())).thenReturn(vm);
@@ -189,8 +192,9 @@ public class AssignLoadBalancerTest {
         when(accountDao.findById(anyLong())).thenReturn(Mockito.mock(AccountVO.class));
         Mockito.doNothing().when(accountMgr).checkAccess(any(Account.class), any(SecurityChecker.AccessType.class), any(Boolean.class), any(Network.class));
         when(autoScaleVmGroupDao.isAutoScaleLoadBalancer(anyLong())).thenReturn(Boolean.FALSE);
+        when(vpcMgr.isNetworkOnVpcEnabledConserveMode(any())).thenReturn(false);
 
-        _lbMgr.assignToLoadBalancer(1L, null, vmIdIpMap, false);
+        _lbMgr.assignToLoadBalancer(1L, null, vmIdIpMap, null, false);
     }
 
 
@@ -218,6 +222,7 @@ public class AssignLoadBalancerTest {
         AccountManager accountMgr = Mockito.mock(AccountManager.class);
         NicSecondaryIpDao nicSecIpDao =  Mockito.mock(NicSecondaryIpDao.class);
         AutoScaleVmGroupDao autoScaleVmGroupDao = Mockito.mock(AutoScaleVmGroupDao.class);
+        VpcManager vpcMgr = Mockito.mock(VpcManager.class);
 
         _lbMgr._lbDao = lbDao;
         _lbMgr._lb2VmMapDao = lb2VmMapDao;
@@ -230,14 +235,16 @@ public class AssignLoadBalancerTest {
         _lbMgr._rulesMgr = _rulesMgr;
         _lbMgr._networkModel = _networkModel;
         _lbMgr._autoScaleVmGroupDao = autoScaleVmGroupDao;
+        _lbMgr._vpcMgr = vpcMgr;
 
         when(lbDao.findById(anyLong())).thenReturn(lbVO);
         when(userVmDao.findById(anyLong())).thenReturn(vm);
         when(lb2VmMapDao.listByLoadBalancerId(anyLong(), anyBoolean())).thenReturn(_lbvmMapList);
         when (nicSecIpDao.findByIp4AddressAndNicId(anyString(), anyLong())).thenReturn(null);
         when(autoScaleVmGroupDao.isAutoScaleLoadBalancer(anyLong())).thenReturn(Boolean.FALSE);
+        when(vpcMgr.isNetworkOnVpcEnabledConserveMode(any())).thenReturn(false);
 
-        _lbMgr.assignToLoadBalancer(1L, null, vmIdIpMap, false);
+        _lbMgr.assignToLoadBalancer(1L, null, vmIdIpMap, null, false);
     }
 
 
@@ -267,6 +274,7 @@ public class AssignLoadBalancerTest {
         NicSecondaryIpDao nicSecIpDao =  Mockito.mock(NicSecondaryIpDao.class);
         LoadBalancerVMMapVO lbVmMapVO = new LoadBalancerVMMapVO(1L, 1L, "10.1.1.175", false);
         AutoScaleVmGroupDao autoScaleVmGroupDao = Mockito.mock(AutoScaleVmGroupDao.class);
+        VpcManager vpcMgr = Mockito.mock(VpcManager.class);
 
         _lbMgr._lbDao = lbDao;
         _lbMgr._lb2VmMapDao = lb2VmMapDao;
@@ -280,14 +288,16 @@ public class AssignLoadBalancerTest {
         _lbMgr._rulesMgr = _rulesMgr;
         _lbMgr._networkModel = _networkModel;
         _lbMgr._autoScaleVmGroupDao = autoScaleVmGroupDao;
+        _lbMgr._vpcMgr = vpcMgr;
 
         when(lbDao.findById(anyLong())).thenReturn(lbVO);
         when(userVmDao.findById(anyLong())).thenReturn(vm);
         when(lb2VmMapDao.listByLoadBalancerId(anyLong(), anyBoolean())).thenReturn(_lbvmMapList);
         when (nicSecIpDao.findByIp4AddressAndNicId(anyString(), anyLong())).thenReturn(null);
         when(autoScaleVmGroupDao.isAutoScaleLoadBalancer(anyLong())).thenReturn(Boolean.FALSE);
+        when(vpcMgr.isNetworkOnVpcEnabledConserveMode(any())).thenReturn(false);
 
-        _lbMgr.assignToLoadBalancer(1L, null, vmIdIpMap, false);
+        _lbMgr.assignToLoadBalancer(1L, null, vmIdIpMap, null, false);
     }
 
     @After
diff --git a/server/src/test/java/com/cloud/network/lb/LoadBalancingRulesManagerImplTest.java b/server/src/test/java/com/cloud/network/lb/LoadBalancingRulesManagerImplTest.java
index 78655ba9a05..cfa0e2edaae 100644
--- a/server/src/test/java/com/cloud/network/lb/LoadBalancingRulesManagerImplTest.java
+++ b/server/src/test/java/com/cloud/network/lb/LoadBalancingRulesManagerImplTest.java
@@ -27,15 +27,18 @@ import com.cloud.network.dao.LoadBalancerVO;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.dao.SslCertVO;
+import com.cloud.network.vpc.VpcManager;
 import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.AccountVO;
 import com.cloud.user.User;
 import com.cloud.user.UserVO;
+import com.cloud.uservm.UserVm;
 import com.cloud.utils.db.EntityManager;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.utils.net.NetUtils;
+import com.cloud.vm.Nic;
 import org.apache.cloudstack.acl.SecurityChecker;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ServerApiException;
@@ -54,7 +57,10 @@ import org.springframework.test.util.ReflectionTestUtils;
 
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.UUID;
 
 import static org.mockito.ArgumentMatchers.anyLong;
@@ -89,6 +95,9 @@ public class LoadBalancingRulesManagerImplTest{
     @Mock
     NetworkOfferingServiceMapDao _networkOfferingServiceDao;
 
+    @Mock
+    VpcManager vpcManager;
+
     @Spy
     @InjectMocks
     LoadBalancingRulesManagerImpl lbr = new LoadBalancingRulesManagerImpl();
@@ -308,4 +317,47 @@ public class LoadBalancingRulesManagerImplTest{
         Mockito.verify(loadBalancerMock, times(1)).setLbProtocol(NetUtils.TCP_PROTO);
         Mockito.verify(loadBalancerMock, times(1)).setLbProtocol(NetUtils.SSL_PROTO);
     }
+
+    @Test
+    public void testGetVmNicInLoadBalancerDefaultCase() {
+        UserVm userVm = Mockito.mock(UserVm.class);
+        LoadBalancerVO loadBalancer = Mockito.mock(LoadBalancerVO.class);
+        Network loadBalancerNetwork = Mockito.mock(Network.class);
+        Account owner = Mockito.mock(Account.class);
+
+        when(vpcManager.isNetworkOnVpcEnabledConserveMode(Mockito.eq(loadBalancerNetwork))).thenReturn(false);
+
+        when(loadBalancer.getNetworkId()).thenReturn(networkId);
+        Nic nic = Mockito.mock(Nic.class);
+        when(nic.getNetworkId()).thenReturn(networkId);
+        List<? extends Nic> nics = Collections.singletonList(nic);
+        Mockito.doReturn(nics).when(_networkModel).getNics(anyLong());
+        Nic nicInLb = lbr.getVmNicInLoadBalancer(userVm, loadBalancer, loadBalancerNetwork, null, owner);
+        Assert.assertEquals(nic, nicInLb);
+    }
+
+    @Test
+    public void testGetVmNicInLoadBalancerVPCConserveMode() {
+        long vmId = 30L;
+        UserVm userVm = Mockito.mock(UserVm.class);
+        when(userVm.getId()).thenReturn(vmId);
+        LoadBalancerVO loadBalancer = Mockito.mock(LoadBalancerVO.class);
+        Network loadBalancerNetwork = Mockito.mock(Network.class);
+        Account owner = Mockito.mock(Account.class);
+
+        long networkTier2Id = 20L;
+        NetworkVO networkTier2 = Mockito.mock(NetworkVO.class);
+        Map<Long, Long> vmIdNetworkIdMap = new HashMap<>();
+        vmIdNetworkIdMap.put(vmId, networkTier2Id);
+
+        when(vpcManager.isNetworkOnVpcEnabledConserveMode(Mockito.eq(loadBalancerNetwork))).thenReturn(true);
+        when(_networkDao.findById(networkTier2Id)).thenReturn(networkTier2);
+        when(networkTier2.getVpcId()).thenReturn(10L);
+        when(loadBalancerNetwork.getVpcId()).thenReturn(10L);
+        Nic nic = Mockito.mock(Nic.class);
+        when(_networkModel.getNicInNetwork(Mockito.eq(vmId), Mockito.eq(networkTier2Id))).thenReturn(nic);
+
+        Nic nicInLb = lbr.getVmNicInLoadBalancer(userVm, loadBalancer, loadBalancerNetwork, vmIdNetworkIdMap, owner);
+        Assert.assertEquals(nic, nicInLb);
+    }
 }
diff --git a/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java b/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java
index 4f92c60e25a..ff34d72c218 100644
--- a/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java
+++ b/server/src/test/java/com/cloud/network/vpc/VpcManagerImplTest.java
@@ -581,4 +581,27 @@ public class VpcManagerImplTest {
         Assert.assertThrows(InvalidParameterValueException.class, () -> manager.validateVpcPrivateGatewayAclId(vpcId, differentVpcAclId));
     }
 
+    @Test
+    public void testIsNetworkOnVpcEnabledConserveModeIsolatedNetwork() {
+        Network network = mock(Network.class);
+        Mockito.when(network.getVpcId()).thenReturn(null);
+        Assert.assertFalse(manager.isNetworkOnVpcEnabledConserveMode(network));
+    }
+
+    @Test
+    public void testIsNetworkOnVpcEnabledConserveModeVpcNetworkConserveMode() {
+        Network network = mock(Network.class);
+        Vpc vpc = mock(Vpc.class);
+        VpcOfferingVO vpcOffering = mock(VpcOfferingVO.class);
+        long vpcId = 10L;
+        long vpcOfferingId = 11L;
+
+        Mockito.when(network.getVpcId()).thenReturn(vpcId);
+        Mockito.when(vpcDao.getActiveVpcById(Mockito.eq(vpcId))).thenReturn(vpc);
+        Mockito.when(vpc.getVpcOfferingId()).thenReturn(vpcOfferingId);
+        Mockito.when(vpcOfferingDao.findById(Mockito.eq(vpcOfferingId))).thenReturn(vpcOffering);
+        Mockito.when(vpcOffering.isConserveMode()).thenReturn(true);
+        Assert.assertTrue(manager.isNetworkOnVpcEnabledConserveMode(network));
+    }
+
 }
diff --git a/server/src/test/java/com/cloud/user/AccountManagerImplTest.java b/server/src/test/java/com/cloud/user/AccountManagerImplTest.java
index e5d09ba9141..c476895ea50 100644
--- a/server/src/test/java/com/cloud/user/AccountManagerImplTest.java
+++ b/server/src/test/java/com/cloud/user/AccountManagerImplTest.java
@@ -19,12 +19,15 @@ package com.cloud.user;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.nullable;
 
+import com.cloud.utils.Ternary;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Date;
 import java.util.List;
 import java.util.Map;
 
@@ -32,10 +35,24 @@ import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.Role;
 import org.apache.cloudstack.acl.RoleService;
 import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.acl.ApiKeyPairPermissionVO;
+import org.apache.cloudstack.acl.ApiKeyPairVO;
+import org.apache.cloudstack.acl.RolePermission;
+import org.apache.cloudstack.acl.RolePermissionEntity;
+import org.apache.cloudstack.acl.RolePermissionVO;
+import org.apache.cloudstack.acl.RoleVO;
 import org.apache.cloudstack.acl.SecurityChecker.AccessType;
 import org.apache.cloudstack.api.command.admin.account.UpdateAccountCmd;
+
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPair;
+import org.apache.cloudstack.acl.apikeypair.ApiKeyPairService;
+import org.apache.cloudstack.acl.dao.ApiKeyPairDao;
+import org.apache.cloudstack.acl.dao.ApiKeyPairPermissionsDao;
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.command.admin.user.DeleteUserCmd;
 import org.apache.cloudstack.api.command.admin.user.GetUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.ListUserKeysCmd;
+import org.apache.cloudstack.api.command.admin.user.RegisterUserKeysCmd;
 import org.apache.cloudstack.api.command.admin.user.UpdateUserCmd;
 import org.apache.cloudstack.api.response.UserTwoFactorAuthenticationSetupResponse;
 import org.apache.cloudstack.auth.UserAuthenticator;
@@ -86,7 +103,9 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
     @Mock
     private AccountService accountService;
     @Mock
-    private GetUserKeysCmd _listkeyscmd;
+    private GetUserKeysCmd _getkeyscmd;
+    @Mock
+    private ListUserKeysCmd listUserKeysCmd;
     @Mock
     private User _user;
     @Mock
@@ -102,6 +121,15 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
     @Mock
     private UserVO userVoMock;
 
+    @Mock
+    private ApiKeyPairService apiKeyPairService;
+
+    @Mock
+    private ApiKeyPairVO apiKeyPairVOMock;
+
+    @Mock
+    private Pair<List<ApiKeyPairVO>, Integer> pairMock;
+
     private final long accountMockId = 100L;
 
     @Mock
@@ -128,9 +156,19 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
 
     @Mock
     ConfigKey<Boolean> allowOperationsOnUsersInSameAccountMock;
+
     @Mock
     RoleService roleService;
 
+    @Mock
+    ApiKeyPairPermissionsDao apiKeyPairPermissionsDaoMock;
+
+    @Mock
+    ApiKeyPairDao apiKeyPairDaoMock;
+
+    @Mock
+    RegisterUserKeysCmd registerCmdMock;
+
     @Before
     public void setUp() throws Exception {
         enableUserTwoFactorAuthenticationMock = Mockito.mock(ConfigKey.class);
@@ -150,6 +188,13 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
         Mockito.doReturn(userVoIdMock).when(userVoMock).getId();
 
         Mockito.lenient().doNothing().when(accountManagerImpl).checkRoleEscalation(accountMock, accountMock);
+        Mockito.doReturn(accountMockId).when(accountVoMock).getId();
+
+        Mockito.when(apiKeyPairDaoMock.persist(Mockito.any())).thenAnswer(i -> {
+            ApiKeyPairVO keyPair = (ApiKeyPairVO) i.getArguments()[0];
+            keyPair.setId(1L);
+            return keyPair;
+        });
     }
 
     @Test
@@ -296,6 +341,7 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
 
             Mockito.doNothing().when(accountManagerImpl).checkAccountAndAccess(Mockito.any(), Mockito.any());
             Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(userVoMock);
+            Mockito.doNothing().when(accountManagerImpl).removeUserApiKeys(Mockito.anyLong());
             accountManagerImpl.deleteUser(cmd);
         }
     }
@@ -334,13 +380,10 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
     }
 
     @Test(expected = PermissionDeniedException.class)
-    public void testgetUserCmd() {
+    public void testGetUserCmd() {
         CallContext.register(callingUser, callingAccount); // Calling account is user account i.e normal account
-        Mockito.when(_listkeyscmd.getID()).thenReturn(1L);
+        Mockito.when(_getkeyscmd.getId()).thenReturn(1L);
         Mockito.when(accountManagerImpl.getActiveUser(1L)).thenReturn(userVoMock);
-        Mockito.when(userAccountDao.findById(1L)).thenReturn(userAccountVO);
-        Mockito.when(userAccountVO.getAccountId()).thenReturn(1L);
-        Mockito.lenient().when(accountManagerImpl.getAccount(Mockito.anyLong())).thenReturn(accountMock); // Queried account - admin account
 
         Mockito.lenient().when(callingUser.getAccountId()).thenReturn(1L);
         Mockito.lenient().when(_accountDao.findById(1L)).thenReturn(callingAccount);
@@ -348,17 +391,15 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
         Mockito.lenient().when(accountService.isNormalUser(Mockito.anyLong())).thenReturn(Boolean.TRUE);
         Mockito.lenient().when(accountMock.getAccountId()).thenReturn(2L);
 
-        accountManagerImpl.getKeys(_listkeyscmd);
+        accountManagerImpl.getKeys(_getkeyscmd);
     }
 
     @Test(expected = PermissionDeniedException.class)
     public void testGetUserKeysCmdDomainAdminRootAdminUser() {
         CallContext.register(callingUser, callingAccount);
-        Mockito.when(_listkeyscmd.getID()).thenReturn(2L);
+        Mockito.when(_getkeyscmd.getId()).thenReturn(2L);
         Mockito.when(accountManagerImpl.getActiveUser(2L)).thenReturn(userVoMock);
-        Mockito.when(userAccountDao.findById(2L)).thenReturn(userAccountVO);
-        Mockito.when(userAccountVO.getAccountId()).thenReturn(2L);
-        Mockito.when(userDetailsDaoMock.listDetailsKeyPairs(Mockito.anyLong())).thenReturn(null);
+        Mockito.when(userVoMock.getAccountId()).thenReturn(2L);
 
         // Queried account - admin account
         AccountVO adminAccountMock = Mockito.mock(AccountVO.class);
@@ -377,7 +418,7 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
         Mockito.lenient().when(accountService.isDomainAdmin(Mockito.anyLong())).thenReturn(Boolean.TRUE);
         Mockito.lenient().when(accountMock.getAccountId()).thenReturn(2L);
 
-        accountManagerImpl.getKeys(_listkeyscmd);
+        accountManagerImpl.getKeys(_getkeyscmd);
     }
 
     @Test
@@ -472,7 +513,6 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
         Mockito.doReturn("password").when(UpdateUserCmdMock).getPassword();
         Mockito.doReturn("newpassword").when(UpdateUserCmdMock).getCurrentPassword();
         Mockito.doReturn(userVoMock).when(accountManagerImpl).retrieveAndValidateUser(UpdateUserCmdMock);
-        Mockito.doNothing().when(accountManagerImpl).validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmdMock, userVoMock);
         Mockito.doReturn(accountMock).when(accountManagerImpl).retrieveAndValidateAccount(userVoMock);
 
         Mockito.doNothing().when(accountManagerImpl).validateAndUpdateFirstNameIfNeeded(UpdateUserCmdMock, userVoMock);
@@ -523,63 +563,73 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
     }
 
     @Test
-    public void validateAndUpdatApiAndSecretKeyIfNeededTestNoKeys() {
+    public void validateAndUpdateApiAndSecretKeyIfNeededTestNoKeys() {
         accountManagerImpl.validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmdMock, userVoMock);
 
-        Mockito.verify(userAccountDao, Mockito.times(0)).getUserByApiKey(Mockito.anyString());
+        Mockito.verify(apiKeyPairDaoMock, Mockito.times(0)).getLastApiKeyCreatedByUser(Mockito.anyLong());
+        Mockito.verify(accountManagerImpl, Mockito.times(0)).findUserByApiKey(Mockito.anyString());
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void validateAndUpdatApiAndSecretKeyIfNeededTestOnlyApiKeyInformed() {
+    public void validateAndUpdateApiAndSecretKeyIfNeededTestOnlyApiKeyInformed() {
         Mockito.doReturn("apiKey").when(UpdateUserCmdMock).getApiKey();
 
         accountManagerImpl.validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmdMock, userVoMock);
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void validateAndUpdatApiAndSecretKeyIfNeededTestOnlySecretKeyInformed() {
+    public void validateAndUpdateApiAndSecretKeyIfNeededTestOnlySecretKeyInformed() {
         Mockito.doReturn("secretKey").when(UpdateUserCmdMock).getSecretKey();
 
         accountManagerImpl.validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmdMock, userVoMock);
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void validateAndUpdatApiAndSecretKeyIfNeededTestApiKeyAlreadyUsedBySomeoneElse() {
+    public void validateAndUpdateApiAndSecretKeyIfNeededTestApiKeyAlreadyUsedBySomeoneElse() {
         String apiKey = "apiKey";
         Mockito.doReturn(apiKey).when(UpdateUserCmdMock).getApiKey();
         Mockito.doReturn("secretKey").when(UpdateUserCmdMock).getSecretKey();
 
         Mockito.doReturn(1L).when(userVoMock).getId();
+        Mockito.doReturn(apiKeyPairVOMock).when(apiKeyPairDaoMock).getLastApiKeyCreatedByUser(1L);
 
         User otherUserMock = Mockito.mock(User.class);
 
-        UserAccount UserAccountMock = Mockito.mock(UserAccount.class);
-        Mockito.doReturn(UserAccountMock).when(userAccountDao).getUserByApiKey(apiKey);
+        Ternary<User, Account, ApiKeyPair> pairUserAccountMock = new Ternary<User, Account, ApiKeyPair>(otherUserMock, Mockito.mock(Account.class), apiKeyPairVOMock);
+        Mockito.doReturn(pairUserAccountMock).when(accountManagerImpl).findUserByApiKey(apiKey);
 
         accountManagerImpl.validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmdMock, userVoMock);
     }
 
+    @Test(expected = InvalidParameterValueException.class)
+    public void validateAndUpdateApiAndSecretKeyIfNeededTestUserHasNoActiveApiKeyPair() {
+        String apiKey = "apiKey";
+        Mockito.doReturn(apiKey).when(UpdateUserCmdMock).getApiKey();
+        Mockito.doReturn("secretKey").when(UpdateUserCmdMock).getSecretKey();
+        Mockito.doReturn(1L).when(userVoMock).getId();
+        accountManagerImpl.validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmdMock, userVoMock);
+    }
+
     @Test
-    public void validateAndUpdatApiAndSecretKeyIfNeededTest() {
+    public void validateAndUpdateApiAndSecretKeyIfNeededTest() {
         String apiKey = "apiKey";
         Mockito.doReturn(apiKey).when(UpdateUserCmdMock).getApiKey();
 
         String secretKey = "secretKey";
         Mockito.doReturn(secretKey).when(UpdateUserCmdMock).getSecretKey();
 
-        User otherUserMock = Mockito.mock(User.class);
-
-        Mockito.doReturn(null).when(userAccountDao).getUserByApiKey(apiKey);
+        Mockito.doReturn(1L).when(userVoMock).getId();
+        Mockito.doReturn(apiKeyPairVOMock).when(apiKeyPairDaoMock).getLastApiKeyCreatedByUser(1L);
 
         accountManagerImpl.validateAndUpdateApiAndSecretKeyIfNeeded(UpdateUserCmdMock, userVoMock);
 
-        Mockito.verify(userAccountDao).getUserByApiKey(apiKey);
-        Mockito.verify(userVoMock).setApiKey(apiKey);
-        Mockito.verify(userVoMock).setSecretKey(secretKey);
+        Mockito.verify(accountManagerImpl).findUserByApiKey(apiKey);
+        Mockito.verify(apiKeyPairVOMock).setApiKey(apiKey);
+        Mockito.verify(apiKeyPairVOMock).setSecretKey(secretKey);
     }
 
     @Test
-    public void validateAndUpdatUserApiKeyAccess() {
+    public void validateAndUpdateUserApiKeyAccess() {
         Mockito.doReturn("Enabled").when(UpdateUserCmdMock).getApiKeyAccess();
         try (MockedStatic<ActionEventUtils> eventUtils = Mockito.mockStatic(ActionEventUtils.class)) {
             Mockito.when(ActionEventUtils.onActionEvent(Mockito.anyLong(), Mockito.anyLong(),
@@ -599,7 +649,7 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
     }
 
     @Test
-    public void validateAndUpdatAccountApiKeyAccess() {
+    public void validateAndUpdateAccountApiKeyAccess() {
         Mockito.doReturn("Inherit").when(UpdateAccountCmdMock).getApiKeyAccess();
         try (MockedStatic<ActionEventUtils> eventUtils = Mockito.mockStatic(ActionEventUtils.class)) {
             Mockito.when(ActionEventUtils.onActionEvent(Mockito.anyLong(), Mockito.anyLong(),
@@ -613,7 +663,7 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
     }
 
     @Test(expected = InvalidParameterValueException.class)
-    public void validateAndUpdatAccountApiKeyAccessInvalidParameter() {
+    public void validateAndUpdateAccountApiKeyAccessInvalidParameter() {
         Mockito.doReturn("False").when(UpdateAccountCmdMock).getApiKeyAccess();
         accountManagerImpl.validateAndUpdateAccountApiKeyAccess(UpdateAccountCmdMock, accountVoMock);
     }
@@ -1271,6 +1321,354 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
         Assert.assertEquals(userAccountVOList.get(0), userAccounts.get(0));
     }
 
+    @Test
+    public void createApiKeyAndSecretKeyTestWithEmptyRules() {
+        CallContext.register(callingUser, callingAccount);
+        Mockito.lenient().when(callingUser.getId()).thenReturn(111L);
+        long userId = 111L;
+
+        Mockito.when(registerCmdMock.getRules()).thenReturn(List.of());
+        Mockito.when(registerCmdMock.getUserId()).thenReturn(userId);
+
+        Mockito.when(userDaoMock.findById(any())).thenReturn(userVoMock);
+        Mockito.when(_accountDao.findById(Mockito.anyLong())).thenReturn(accountVoMock);
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any(Account.class));
+        Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(Mockito.any(User.class));
+        Mockito.when(apiKeyPairDaoMock.findBySecretKey(Mockito.anyString())).thenReturn(null);
+        Mockito.when(roleService.findAllRolePermissionsEntityBy(Mockito.anyLong(), Mockito.anyBoolean())).thenReturn(List.of(
+                new RolePermissionVO(1L, "api2", RolePermissionEntity.Permission.ALLOW, "description")
+        ));
+        Mockito.when(roleService.findRole(Mockito.anyLong())).thenReturn(new RoleVO());
+        Mockito.when(roleService.roleHasPermission(Mockito.anyMap(), Mockito.anyList())).thenReturn(true);
+
+        accountManagerImpl.createApiKeyAndSecretKey(registerCmdMock);
+        Mockito.verify(apiKeyPairDaoMock, Mockito.times(0)).remove(Mockito.anyLong());
+        Mockito.verify(apiKeyPairPermissionsDaoMock, Mockito.times(0)).persist(Mockito.any(ApiKeyPairPermissionVO.class));
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void createApiKeyAndSecretKeyTestPermissionNotPresentOnAccount() {
+        CallContext.register(callingUser, callingAccount);
+        Mockito.lenient().when(callingUser.getId()).thenReturn(111L);
+        long userId = 111L;
+
+        List<Map<String, Object>> rules = new ArrayList<>();
+        rules.add(Map.of(
+                ApiConstants.RULE, "api1",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        Mockito.when(registerCmdMock.getRules()).thenReturn(rules);
+        Mockito.when(registerCmdMock.getUserId()).thenReturn(userId);
+
+        ApiKeyPairVO apiKeyPairVO = new ApiKeyPairVO();
+        apiKeyPairVO.setUserId(userId);
+        apiKeyPairVO.setId(1L);
+
+        Mockito.when(userDaoMock.findById(any())).thenReturn(userVoMock);
+        Mockito.when(_accountDao.findById(Mockito.anyLong())).thenReturn(accountVoMock);
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any());
+        Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(Mockito.any(User.class));
+        Mockito.when(roleService.findAllRolePermissionsEntityBy(Mockito.anyLong(), Mockito.anyBoolean())).thenReturn(List.of(
+                new RolePermissionVO(1L, "api2", RolePermissionEntity.Permission.ALLOW, "description")
+        ));
+        Mockito.when(roleService.findRole(Mockito.anyLong())).thenReturn(new RoleVO());
+
+        accountManagerImpl.createApiKeyAndSecretKey(registerCmdMock);
+        Mockito.verify(apiKeyPairDaoMock, Mockito.times(1)).remove(Mockito.anyLong());
+        Mockito.verify(apiKeyPairPermissionsDaoMock, Mockito.times(0)).persist(Mockito.any(ApiKeyPairPermissionVO.class));
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void createApiKeyAndSecretTestKeyDeniedOnAccount() {
+        CallContext.register(callingUser, callingAccount);
+        Mockito.lenient().when(callingUser.getId()).thenReturn(111L);
+        long userId = 111L;
+
+        List<Map<String, Object>> rules = new ArrayList<>();
+        rules.add(Map.of(
+                ApiConstants.RULE, "api",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        Mockito.when(registerCmdMock.getRules()).thenReturn(rules);
+        Mockito.when(registerCmdMock.getUserId()).thenReturn(userId);
+
+        ApiKeyPairVO apiKeyPairVO = new ApiKeyPairVO();
+        apiKeyPairVO.setUserId(userId);
+        apiKeyPairVO.setId(1L);
+
+        Mockito.when(userDaoMock.findById(Mockito.anyLong())).thenReturn(userVoMock);
+        Mockito.when(_accountDao.findById(Mockito.anyLong())).thenReturn(accountVoMock);
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any());
+        Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(Mockito.any(User.class));
+        Mockito.when(apiKeyPairDaoMock.findBySecretKey(Mockito.anyString())).thenReturn(null);
+        Mockito.when(roleService.findAllRolePermissionsEntityBy(Mockito.anyLong(), Mockito.anyBoolean())).thenReturn(List.of(
+                new RolePermissionVO(1L, "api", RolePermissionEntity.Permission.DENY, "description")
+        ));
+        Mockito.when(roleService.findRole(Mockito.anyLong())).thenReturn(new RoleVO());
+
+        accountManagerImpl.createApiKeyAndSecretKey(registerCmdMock);
+        Mockito.verify(apiKeyPairDaoMock, Mockito.times(1)).remove(Mockito.anyLong());
+        Mockito.verify(apiKeyPairPermissionsDaoMock, Mockito.times(0)).persist(Mockito.any(ApiKeyPairPermissionVO.class));
+    }
+
+    @Test
+    public void createApiKeyAndSecretKeyTestAllowedOnAccount() {
+        CallContext.register(callingUser, callingAccount);
+        Mockito.lenient().when(callingUser.getId()).thenReturn(111L);
+        long userId = callingUser.getId();
+
+        List<Map<String, Object>> rules = new ArrayList<>();
+        rules.add(Map.of(
+                ApiConstants.RULE, "api",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        Mockito.when(registerCmdMock.getRules()).thenReturn(rules);
+        Mockito.when(registerCmdMock.getUserId()).thenReturn(userId);
+
+        ApiKeyPairPermissionVO permissionVO = new ApiKeyPairPermissionVO();
+        ApiKeyPairVO apiKeyPairVO = new ApiKeyPairVO();
+        apiKeyPairVO.setUserId(userId);
+        apiKeyPairVO.setId(1L);
+
+        Mockito.when(userDaoMock.findById(Mockito.anyLong())).thenReturn(userVoMock);
+        Mockito.when(_accountDao.findById(Mockito.anyLong())).thenReturn(accountVoMock);
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any(Account.class));
+        Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(Mockito.any(User.class));
+        Mockito.when(apiKeyPairPermissionsDaoMock.persist(Mockito.any(ApiKeyPairPermissionVO.class))).thenReturn(permissionVO);
+        Mockito.doReturn(true).when(roleService).roleHasPermission(Mockito.any(), Mockito.any());
+        Mockito.when(roleService.findRole(Mockito.anyLong())).thenReturn(new RoleVO());
+
+        Assert.assertEquals((long) accountManagerImpl.createApiKeyAndSecretKey(registerCmdMock).getUserId(), userId);
+        Mockito.verify(apiKeyPairPermissionsDaoMock, Mockito.times(1)).persist(Mockito.any(ApiKeyPairPermissionVO.class));
+    }
+
+
+    @Test
+    public void createApiAndSecretKeyTestWithNonEmptyDates() {
+        CallContext.register(callingUser, callingAccount);
+        Mockito.lenient().when(callingUser.getId()).thenReturn(111L);
+        Date startDate = Date.from(Instant.parse("2024-03-03T10:15:30.00Z"));
+        Date endDate = Date.from(Instant.parse("2124-03-04T10:15:30.00Z"));
+        long userId = 111L;
+
+        List<Map<String, Object>> rules = new ArrayList<>();
+        rules.add(Map.of(
+                ApiConstants.RULE, "api",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        Mockito.when(registerCmdMock.getRules()).thenReturn(rules);
+        Mockito.when(registerCmdMock.getUserId()).thenReturn(userId);
+        Mockito.when(registerCmdMock.getStartDate()).thenReturn(startDate);
+        Mockito.when(registerCmdMock.getEndDate()).thenReturn(endDate);
+        Mockito.when(registerCmdMock.getDescription()).thenReturn("key description");
+
+        UserVO mockUser = new UserVO(userId);
+        ApiKeyPairPermissionVO permissionVO = new ApiKeyPairPermissionVO();
+        ApiKeyPairVO apiKeyPairVO = new ApiKeyPairVO();
+        apiKeyPairVO.setUserId(userId);
+        apiKeyPairVO.setId(1L);
+
+        Mockito.when(userDaoMock.findById(Mockito.anyLong())).thenReturn(userVoMock);
+        Mockito.when(_accountDao.findById(Mockito.anyLong())).thenReturn(accountVoMock);
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any(Account.class));
+        Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(Mockito.any(User.class));
+        Mockito.when(apiKeyPairPermissionsDaoMock.persist(Mockito.any(ApiKeyPairPermissionVO.class))).thenReturn(permissionVO);
+        Mockito.when(apiKeyPairDaoMock.findBySecretKey(Mockito.anyString())).thenReturn(null);
+        Mockito.doReturn(true).when(roleService).roleHasPermission(Mockito.any(), Mockito.any());
+        Mockito.when(roleService.findRole(Mockito.anyLong())).thenReturn(new RoleVO());
+
+        ApiKeyPair response = accountManagerImpl.createApiKeyAndSecretKey(registerCmdMock);
+        Mockito.verify(apiKeyPairDaoMock, Mockito.times(1)).persist(Mockito.any(ApiKeyPairVO.class));
+        Assert.assertEquals(userId, (long) response.getUserId());
+        Assert.assertEquals(response.getStartDate(), startDate);
+        Assert.assertEquals(response.getEndDate(), endDate);
+        Assert.assertEquals("key description", response.getDescription());
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void createApiAndSecretKeyTestWithExpiredDate() {
+        CallContext.register(callingUser, callingAccount);
+        Mockito.lenient().when(callingUser.getId()).thenReturn(111L);
+
+        Date startDate = Date.from(Instant.parse("2024-03-01T10:15:30.00Z"));
+        Date endDate = Date.from(Instant.parse("2024-03-02T10:15:30.00Z"));
+        long userId = 111L;
+
+        List<Map<String, Object>> rules = new ArrayList<>();
+        rules.add(Map.of(
+                ApiConstants.RULE, "api",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        Mockito.when(registerCmdMock.getRules()).thenReturn(rules);
+        Mockito.when(registerCmdMock.getUserId()).thenReturn(userId);
+        Mockito.when(registerCmdMock.getStartDate()).thenReturn(startDate);
+        Mockito.when(registerCmdMock.getEndDate()).thenReturn(endDate);
+        Mockito.when(registerCmdMock.getDescription()).thenReturn("key description");
+
+        UserVO mockUser = new UserVO(userId);
+        ApiKeyPairPermissionVO permissionVO = new ApiKeyPairPermissionVO();
+        ApiKeyPairVO apiKeyPairVO = new ApiKeyPairVO();
+        apiKeyPairVO.setUserId(userId);
+        apiKeyPairVO.setId(1L);
+
+        Mockito.when(userDaoMock.findById(Mockito.anyLong())).thenReturn(userVoMock);
+        Mockito.when(_accountDao.findById(Mockito.anyLong())).thenReturn(accountVoMock);
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any(Account.class));
+        Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(Mockito.any(User.class));
+
+        ApiKeyPair response = accountManagerImpl.createApiKeyAndSecretKey(registerCmdMock);
+        Assert.assertEquals((long) response.getUserId(), userId);
+        Assert.assertEquals(response.getStartDate(), startDate);
+        Assert.assertEquals(response.getEndDate(), endDate);
+        Assert.assertEquals(response.getDescription(), "key description");
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void createApiAndSecretKeyTestWithInvalidDate() {
+        CallContext.register(callingUser, callingAccount);
+        Mockito.lenient().when(callingUser.getId()).thenReturn(111L);
+
+        Date endDate = Date.from(Instant.parse("2024-03-02T10:15:30.00Z")); // this test will break in 100 years :O
+        Date startDate = Date.from(Instant.parse("2024-10-02T10:15:30.00Z"));
+        long userId = 111L;
+
+        List<Map<String, Object>> rules = new ArrayList<>();
+        rules.add(Map.of(
+                ApiConstants.RULE, "api",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        Mockito.when(registerCmdMock.getRules()).thenReturn(rules);
+        Mockito.when(registerCmdMock.getUserId()).thenReturn(userId);
+        Mockito.when(registerCmdMock.getStartDate()).thenReturn(startDate);
+        Mockito.when(registerCmdMock.getEndDate()).thenReturn(endDate);
+        Mockito.when(registerCmdMock.getDescription()).thenReturn("key description");
+
+        UserVO mockUser = new UserVO(userId);
+        ApiKeyPairPermissionVO permissionVO = new ApiKeyPairPermissionVO();
+        ApiKeyPairVO apiKeyPairVO = new ApiKeyPairVO();
+        apiKeyPairVO.setUserId(userId);
+        apiKeyPairVO.setId(1L);
+
+        Mockito.when(userDaoMock.findById(Mockito.anyLong())).thenReturn(userVoMock);
+        Mockito.when(_accountDao.findById(Mockito.anyLong())).thenReturn(accountVoMock);
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any(Account.class));
+        Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(Mockito.any(User.class));
+
+        ApiKeyPair response = accountManagerImpl.createApiKeyAndSecretKey(registerCmdMock);
+        Assert.assertEquals(userId, (long) response.getUserId());
+        Assert.assertEquals(response.getStartDate(), startDate);
+        Assert.assertEquals(response.getEndDate(), endDate);
+        Assert.assertEquals("key description", response.getDescription());
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void createApiAndSecretKeyTestWithMultipleAllowedPermissionsOneDenied() {
+        CallContext.register(callingUser, callingAccount);
+        Mockito.lenient().when(callingUser.getId()).thenReturn(111L);
+        long userId = 111L;
+
+        List<Map<String, Object>> rules = new ArrayList<>();
+        rules.add(Map.of(
+                ApiConstants.RULE, "api1",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        rules.add(Map.of(
+                ApiConstants.RULE, "api2",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        rules.add(Map.of(
+                ApiConstants.RULE, "api3",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        Mockito.when(registerCmdMock.getRules()).thenReturn(rules);
+        Mockito.when(registerCmdMock.getUserId()).thenReturn(userId);
+
+        UserVO mockUser = new UserVO(userId);
+        ApiKeyPairVO apiKeyPairVO = new ApiKeyPairVO();
+        apiKeyPairVO.setUserId(userId);
+        apiKeyPairVO.setId(1L);
+
+        Mockito.when(userDaoMock.findById(Mockito.anyLong())).thenReturn(userVoMock);
+        Mockito.when(_accountDao.findById(Mockito.anyLong())).thenReturn(accountVoMock);
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any(Account.class));
+        Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(Mockito.any(User.class));
+        Mockito.when(apiKeyPairDaoMock.findBySecretKey(Mockito.anyString())).thenReturn(null);
+        Mockito.when(roleService.findAllRolePermissionsEntityBy(Mockito.anyLong(), Mockito.anyBoolean())).thenReturn(List.of(
+                new RolePermissionVO(1L, "api1", RolePermissionEntity.Permission.ALLOW, "description-1"),
+                new RolePermissionVO(1L, "api2", RolePermissionEntity.Permission.ALLOW, "description-2"),
+                new RolePermissionVO(1L, "api3", RolePermissionEntity.Permission.DENY, "description-3")
+        ));
+        Mockito.when(roleService.findRole(Mockito.anyLong())).thenReturn(new RoleVO());
+
+        accountManagerImpl.createApiKeyAndSecretKey(registerCmdMock);
+        Mockito.verify(apiKeyPairDaoMock, Mockito.times(1)).remove(Mockito.anyLong());
+        Mockito.verify(apiKeyPairPermissionsDaoMock, Mockito.times(0)).persist(Mockito.any(ApiKeyPairPermissionVO.class));
+    }
+
+    @Test(expected = InvalidParameterValueException.class)
+    public void createApiAndSecretKeyTestWithMultipleAllowedPermissionsOneDoesNotExist() {
+        CallContext.register(callingUser, callingAccount);
+        Mockito.lenient().when(callingUser.getId()).thenReturn(111L);
+        long userId = 111L;
+
+        List<Map<String, Object>> rules = new ArrayList<>();
+        rules.add(Map.of(
+                ApiConstants.RULE, "api1",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        rules.add(Map.of(
+                ApiConstants.RULE, "api2",
+                ApiConstants.PERMISSION, RolePermission.Permission.ALLOW,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        rules.add(Map.of(
+                ApiConstants.RULE, "api3",
+                ApiConstants.PERMISSION, RolePermission.Permission.DENY,
+                ApiConstants.DESCRIPTION, "description"
+        ));
+        Mockito.when(registerCmdMock.getRules()).thenReturn(rules);
+        Mockito.when(registerCmdMock.getUserId()).thenReturn(userId);
+
+        ApiKeyPairVO apiKeyPairVO = new ApiKeyPairVO();
+        apiKeyPairVO.setUserId(userId);
+        apiKeyPairVO.setId(1L);
+
+        Mockito.when(userDaoMock.findById(Mockito.anyLong())).thenReturn(userVoMock);
+        Mockito.when(_accountDao.findById(Mockito.anyLong())).thenReturn(accountVoMock);
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(Account.class), Mockito.isNull(), Mockito.anyBoolean(), Mockito.any(Account.class));
+        Mockito.doNothing().when(accountManagerImpl).verifyCallerPrivilegeForUserOrAccountOperations(Mockito.any(User.class));
+        Mockito.when(apiKeyPairDaoMock.findBySecretKey(Mockito.anyString())).thenReturn(null);
+        Mockito.when(roleService.findAllRolePermissionsEntityBy(Mockito.anyLong(), Mockito.anyBoolean())).thenReturn(List.of(
+                new RolePermissionVO(1L, "api1", RolePermissionEntity.Permission.ALLOW, "description-1"),
+                new RolePermissionVO(1L, "api2", RolePermissionEntity.Permission.ALLOW, "description-2")
+        ));
+        Mockito.when(roleService.findRole(Mockito.anyLong())).thenReturn(new RoleVO());
+
+        accountManagerImpl.createApiKeyAndSecretKey(registerCmdMock);
+        Mockito.verify(apiKeyPairDaoMock, Mockito.times(0)).remove(Mockito.anyLong());
+        Mockito.verify(apiKeyPairPermissionsDaoMock, Mockito.times(0)).persist(Mockito.any(ApiKeyPairPermissionVO.class));
+    }
+
+    @Test
+    public void validateAccountHasAccessToResourceTestValidatesAccessToControlledEntity() {
+        VMInstanceVO vmInstanceVo = new VMInstanceVO();
+        Mockito.doNothing().when(accountManagerImpl).checkAccess(Mockito.any(), Mockito.any(), Mockito.anyBoolean(), Mockito.any());
+
+        accountManagerImpl.validateAccountHasAccessToResource(callingAccount, AccessType.UseEntry, vmInstanceVo);
+
+        Mockito.verify(accountManagerImpl).checkAccess(callingAccount, AccessType.UseEntry, true, vmInstanceVo);
+    }
+
     @Test
     public void testDeleteWebhooksForAccount() {
         try (MockedStatic<ComponentContext> mockedComponentContext = Mockito.mockStatic(ComponentContext.class)) {
@@ -1554,6 +1952,15 @@ public class AccountManagerImplTest extends AccountManagentImplTestBase {
         accountManagerImpl.assertUserNotAlreadyInDomain(existingUser, originalAccount);
     }
 
+    @Test
+    public void deleteApiKeyTestOnePermission() {
+        Mockito.when(apiKeyPairPermissionsDaoMock.findAllByApiKeyPairId(Mockito.any())).thenReturn(List.of(new ApiKeyPairPermissionVO()));
+        Mockito.when(userDaoMock.findByIdIncludingRemoved(Mockito.any())).thenReturn(new UserVO());
+        accountManagerImpl.deleteApiKey(new ApiKeyPairVO(1L, 1L));
+        Mockito.verify(apiKeyPairPermissionsDaoMock, Mockito.times(1)).remove(Mockito.anyLong());
+        Mockito.verify(apiKeyPairDaoMock, Mockito.times(1)).remove(Mockito.anyLong());
+    }
+
     @Test
     public void testCheckCallerRoleTypeAllowedToUpdateUserSameAccount() {
         Mockito.lenient().when(accountManagerImpl.getCurrentCallingAccount()).thenReturn(accountMock);
diff --git a/server/src/test/java/com/cloud/vm/UserVmManagerImplTest.java b/server/src/test/java/com/cloud/vm/UserVmManagerImplTest.java
index 4edafb3a05a..f7439386fab 100644
--- a/server/src/test/java/com/cloud/vm/UserVmManagerImplTest.java
+++ b/server/src/test/java/com/cloud/vm/UserVmManagerImplTest.java
@@ -89,6 +89,7 @@ import org.apache.cloudstack.engine.subsystem.api.storage.Scope;
 import org.apache.cloudstack.engine.subsystem.api.storage.VolumeDataFactory;
 import org.apache.cloudstack.engine.subsystem.api.storage.VolumeInfo;
 import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO;
 import org.apache.cloudstack.storage.datastore.db.PrimaryDataStoreDao;
 import org.apache.cloudstack.storage.datastore.db.StoragePoolVO;
 import org.apache.cloudstack.storage.template.VnfTemplateManager;
@@ -1823,35 +1824,35 @@ public class UserVmManagerImplTest {
         Mockito.doReturn(false).when(accountManager).isAdmin(Mockito.anyLong());
         Mockito.doReturn(false).when(userVmManagerImpl).getConfigAllowUserExpungeRecoverVm(Mockito.anyLong());
 
-        Assert.assertThrows(PermissionDeniedException.class, () -> userVmManagerImpl.checkExpungeVmPermission(accountMock));
+        Assert.assertThrows(PermissionDeniedException.class, () -> userVmManagerImpl.checkExpungeVmPermission(accountMock, null));
     }
     @Test
     public void checkExpungeVmPermissionTestAccountIsNotAdminConfigTrueNoApiAccessThrowsPermissionDeniedException () {
         Mockito.doReturn(false).when(accountManager).isAdmin(Mockito.anyLong());
         Mockito.doReturn(true).when(userVmManagerImpl).getConfigAllowUserExpungeRecoverVm(Mockito.anyLong());
-        doThrow(PermissionDeniedException.class).when(accountManager).checkApiAccess(accountMock, "expungeVirtualMachine");
+        doThrow(PermissionDeniedException.class).when(accountManager).checkApiAccess(accountMock, "expungeVirtualMachine", null);
 
-        Assert.assertThrows(PermissionDeniedException.class, () -> userVmManagerImpl.checkExpungeVmPermission(accountMock));
+        Assert.assertThrows(PermissionDeniedException.class, () -> userVmManagerImpl.checkExpungeVmPermission(accountMock, null));
     }
     @Test
     public void checkExpungeVmPermissionTestAccountIsNotAdminConfigTrueHasApiAccessReturnNothing () {
         Mockito.doReturn(false).when(accountManager).isAdmin(Mockito.anyLong());
         Mockito.doReturn(true).when(userVmManagerImpl).getConfigAllowUserExpungeRecoverVm(Mockito.anyLong());
 
-        userVmManagerImpl.checkExpungeVmPermission(accountMock);
+        userVmManagerImpl.checkExpungeVmPermission(accountMock, null);
     }
     @Test
     public void checkExpungeVmPermissionTestAccountIsAdminNoApiAccessThrowsPermissionDeniedException () {
         Mockito.doReturn(true).when(accountManager).isAdmin(Mockito.anyLong());
-        doThrow(PermissionDeniedException.class).when(accountManager).checkApiAccess(accountMock, "expungeVirtualMachine");
+        doThrow(PermissionDeniedException.class).when(accountManager).checkApiAccess(accountMock, "expungeVirtualMachine", null);
 
-        Assert.assertThrows(PermissionDeniedException.class, () -> userVmManagerImpl.checkExpungeVmPermission(accountMock));
+        Assert.assertThrows(PermissionDeniedException.class, () -> userVmManagerImpl.checkExpungeVmPermission(accountMock, null));
     }
     @Test
     public void checkExpungeVmPermissionTestAccountIsAdminHasApiAccessReturnNothing () {
         Mockito.doReturn(true).when(accountManager).isAdmin(Mockito.anyLong());
 
-        userVmManagerImpl.checkExpungeVmPermission(accountMock);
+        userVmManagerImpl.checkExpungeVmPermission(accountMock, null);
     }
 
     @Test
@@ -3661,7 +3662,7 @@ public class UserVmManagerImplTest {
         when(callingAccount.getId()).thenReturn(accountId);
         when(callContext.getCallingAccount()).thenReturn(callingAccount);
         when(accountManager.isAdmin(callingAccount.getId())).thenReturn(true);
-        doNothing().when(accountManager).checkApiAccess(callingAccount, BaseCmd.getCommandNameByClass(ExpungeVMCmd.class));
+        doNothing().when(accountManager).checkApiAccess(callingAccount, BaseCmd.getCommandNameByClass(ExpungeVMCmd.class), null);
         try (MockedStatic<CallContext> mockedCallContext = mockStatic(CallContext.class)) {
             mockedCallContext.when(CallContext::current).thenReturn(callContext);
             mockedCallContext.when(() -> CallContext.register(callContext, ApiCommandResourceType.Volume)).thenReturn(callContext);
@@ -3671,6 +3672,9 @@ public class UserVmManagerImplTest {
             when(cmd.getExpunge()).thenReturn(expunge);
             List<Long> volumeIds = List.of(volumeId);
             when(cmd.getVolumeIds()).thenReturn(volumeIds);
+            AsyncJobVO asyncJobMock = mock(AsyncJobVO.class);
+            when(cmd.getJob()).thenReturn(asyncJobMock);
+            when(asyncJobMock.getCmdInfo()).thenReturn("{}");
 
             UserVmVO vm = mock(UserVmVO.class);
             when(vm.getId()).thenReturn(vmId);
diff --git a/server/src/test/java/com/cloud/vpc/MockConfigurationManagerImpl.java b/server/src/test/java/com/cloud/vpc/MockConfigurationManagerImpl.java
index 2982c19ccdd..a8d3927f910 100644
--- a/server/src/test/java/com/cloud/vpc/MockConfigurationManagerImpl.java
+++ b/server/src/test/java/com/cloud/vpc/MockConfigurationManagerImpl.java
@@ -51,15 +51,18 @@ import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.net.NetUtils;
 import org.apache.cloudstack.api.command.admin.config.ResetCfgCmd;
 import org.apache.cloudstack.api.command.admin.config.UpdateCfgCmd;
+import org.apache.cloudstack.api.command.admin.network.CloneNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateGuestNetworkIpv6PrefixCmd;
 import org.apache.cloudstack.api.command.admin.network.CreateManagementNetworkIpRangeCmd;
-import org.apache.cloudstack.api.command.admin.network.CreateNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteGuestNetworkIpv6PrefixCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteManagementNetworkIpRangeCmd;
 import org.apache.cloudstack.api.command.admin.network.DeleteNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.ListGuestNetworkIpv6PrefixesCmd;
+import org.apache.cloudstack.api.command.admin.network.NetworkOfferingBaseCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdateNetworkOfferingCmd;
 import org.apache.cloudstack.api.command.admin.network.UpdatePodManagementNetworkIpRangeCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneDiskOfferingCmd;
+import org.apache.cloudstack.api.command.admin.offering.CloneServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateDiskOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.CreateServiceOfferingCmd;
 import org.apache.cloudstack.api.command.admin.offering.DeleteDiskOfferingCmd;
@@ -117,6 +120,24 @@ public class MockConfigurationManagerImpl extends ManagerBase implements Configu
         return null;
     }
 
+    @Override
+    public ServiceOffering cloneServiceOffering(CloneServiceOfferingCmd cmd) {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public DiskOffering cloneDiskOffering(CloneDiskOfferingCmd cmd) {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public NetworkOffering cloneNetworkOffering(CloneNetworkOfferingCmd cmd) {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
     /* (non-Javadoc)
      * @see com.cloud.configuration.ConfigurationService#updateServiceOffering(org.apache.cloudstack.api.commands.UpdateServiceOfferingCmd)
      */
@@ -336,7 +357,7 @@ public class MockConfigurationManagerImpl extends ManagerBase implements Configu
      * @see com.cloud.configuration.ConfigurationService#createNetworkOffering(org.apache.cloudstack.api.commands.CreateNetworkOfferingCmd)
      */
     @Override
-    public NetworkOffering createNetworkOffering(CreateNetworkOfferingCmd cmd) {
+    public NetworkOffering createNetworkOffering(NetworkOfferingBaseCmd cmd) {
         // TODO Auto-generated method stub
         return null;
     }
diff --git a/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java b/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java
index 54d8d67b6f8..de768388b44 100644
--- a/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java
+++ b/server/src/test/java/com/cloud/vpc/MockNetworkManagerImpl.java
@@ -1148,4 +1148,9 @@ public class MockNetworkManagerImpl extends ManagerBase implements NetworkOrches
     public String getNicVlanValueForExternalVm(NicTO nic) {
         return null;
     }
+
+    @Override
+    public Long getPreferredNetworkIdForPublicIpRuleAssignment(IpAddress ip, Long networkId) {
+        return null;
+    }
 }
diff --git a/server/src/test/java/org/apache/cloudstack/acl/RoleManagerImplTest.java b/server/src/test/java/org/apache/cloudstack/acl/RoleManagerImplTest.java
index 5d9ee268d8b..7b070d4c7cb 100644
--- a/server/src/test/java/org/apache/cloudstack/acl/RoleManagerImplTest.java
+++ b/server/src/test/java/org/apache/cloudstack/acl/RoleManagerImplTest.java
@@ -21,7 +21,6 @@ import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.utils.Pair;
 
-import org.apache.cloudstack.acl.RolePermissionEntity.Permission;
 import org.apache.cloudstack.acl.dao.RoleDao;
 import org.apache.cloudstack.acl.dao.RolePermissionsDao;
 import org.apache.commons.collections.CollectionUtils;
@@ -58,6 +57,10 @@ public class RoleManagerImplTest {
     @Mock
     private RolePermission rolePermission2Mock;
     @Mock
+    private RolePermission rolePermission2MockWithDeniedPermission;
+    @Mock
+    private RolePermission rolePermission3Mock;
+    @Mock
     private Account callerAccountMock;
     @Mock
     private Role callerAccountRoleMock;
@@ -76,7 +79,7 @@ public class RoleManagerImplTest {
     private RoleVO roleVoMock;
     private long roleMockId = 1l;
 
-    private Map<String, Permission> rolePermissions = new HashMap<>();
+    private Map<String, RolePermissionEntity> rolePermissions = new HashMap<>();
 
     public void setUpRoleVisibilityTests() {
         Mockito.doReturn(List.of("api1", "api2", "api3")).when(accountManagerMock).getApiNameList();
@@ -89,18 +92,11 @@ public class RoleManagerImplTest {
         Mockito.when(rolePermission2Mock.getRule()).thenReturn(new Rule("api2"));
         Mockito.doReturn(RolePermissionEntity.Permission.ALLOW).when(rolePermission1Mock).getPermission();
         Mockito.doReturn(RolePermissionEntity.Permission.ALLOW).when(rolePermission2Mock).getPermission();
+        Mockito.doReturn(RolePermissionEntity.Permission.DENY).when(rolePermission2MockWithDeniedPermission).getPermission();
 
-        List<RolePermission> lessPermissionsRolePermissions = Collections.singletonList(rolePermission1Mock);
         Mockito.doReturn(1L).when(lessPermissionsRoleMock).getId();
-        Mockito.when(roleManagerImpl.findAllPermissionsBy(1L)).thenReturn(lessPermissionsRolePermissions);
-
-        List<RolePermission> morePermissionsRolePermissions = List.of(rolePermission1Mock, rolePermission2Mock);
         Mockito.doReturn(2L).when(morePermissionsRoleMock).getId();
-        Mockito.when(roleManagerImpl.findAllPermissionsBy(morePermissionsRoleMock.getId())).thenReturn(morePermissionsRolePermissions);
-
-        List<RolePermission> differentPermissionsRolePermissions = Collections.singletonList(rolePermission2Mock);
         Mockito.doReturn(3L).when(differentPermissionsRoleMock).getId();
-        Mockito.when(roleManagerImpl.findAllPermissionsBy(differentPermissionsRoleMock.getId())).thenReturn(differentPermissionsRolePermissions);
     }
 
     @Before
@@ -225,9 +221,6 @@ public class RoleManagerImplTest {
         setUpRoleVisibilityTests();
         List<Role> roles = new ArrayList<>();
 
-        List<RolePermission> callerAccountRolePermissions = List.of(rolePermission1Mock, rolePermission2Mock);
-        Mockito.when(roleManagerImpl.findAllPermissionsBy(callerAccountRoleMock.getId())).thenReturn(callerAccountRolePermissions);
-
         roles.add(callerAccountRoleMock);
         roles.add(lessPermissionsRoleMock);
 
@@ -243,9 +236,11 @@ public class RoleManagerImplTest {
         setUpRoleVisibilityTests();
         List<Role> roles = new ArrayList<>();
 
-        List<RolePermission> callerAccountRolePermissions = Collections.singletonList(rolePermission1Mock);
-        Mockito.when(roleManagerImpl.findAllPermissionsBy(callerAccountRoleMock.getId())).thenReturn(callerAccountRolePermissions);
+        List<RolePermissionEntity> callerAccountRolePermissions = Collections.singletonList(rolePermission1Mock);
+        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(callerAccountRoleMock.getId(), false)).thenReturn(callerAccountRolePermissions);
 
+        List<RolePermissionEntity> callerAccountRolePermissions2 = Collections.singletonList(rolePermission2Mock);
+        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(morePermissionsRoleMock.getId(), false)).thenReturn(callerAccountRolePermissions2);
 
         roles.add(callerAccountRoleMock);
         roles.add(morePermissionsRoleMock);
@@ -261,8 +256,11 @@ public class RoleManagerImplTest {
         setUpRoleVisibilityTests();
         List<Role> roles = new ArrayList<>();
 
-        List<RolePermission> callerAccountRolePermissions = Collections.singletonList(rolePermission1Mock);
-        Mockito.when(roleManagerImpl.findAllPermissionsBy(callerAccountRoleMock.getId())).thenReturn(callerAccountRolePermissions);
+        List<RolePermissionEntity> callerAccountRolePermissions = Collections.singletonList(rolePermission1Mock);
+        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(callerAccountRoleMock.getId(), false)).thenReturn(callerAccountRolePermissions);
+
+        List<RolePermissionEntity> callerAccountRolePermissions3 = Collections.singletonList(rolePermission2Mock);
+        Mockito.when(roleManagerImpl.findAllRolePermissionsEntityBy(differentPermissionsRoleMock.getId(), false)).thenReturn(callerAccountRolePermissions3);
 
         roles.add(callerAccountRoleMock);
         roles.add(differentPermissionsRoleMock);
@@ -276,10 +274,10 @@ public class RoleManagerImplTest {
     @Test
     public void roleHasPermissionTestRoleWithMoreAndSamePermissionsReturnsTrue() {
         setUpRoleVisibilityTests();
-        rolePermissions.put("api1", Permission.ALLOW);
-        rolePermissions.put("api2", Permission.ALLOW);
+        rolePermissions.put("api1", rolePermission1Mock);
+        rolePermissions.put("api2", rolePermission2Mock);
 
-        boolean result = roleManagerImpl.roleHasPermission(rolePermissions, lessPermissionsRoleMock);
+        boolean result = roleManagerImpl.roleHasPermission(rolePermissions, Collections.singletonList(rolePermission1Mock));
 
         Assert.assertTrue(result);
     }
@@ -287,10 +285,10 @@ public class RoleManagerImplTest {
     @Test
     public void roleHasPermissionTestRoleAllowedApisDoesNotContainRoleToAccessAllowedApiReturnsFalse() {
         setUpRoleVisibilityTests();
-        rolePermissions.put("api2", Permission.ALLOW);
-        rolePermissions.put("api3", Permission.ALLOW);
+        rolePermissions.put("api2", rolePermission2Mock);
+        rolePermissions.put("api3", rolePermission3Mock);
 
-        boolean result = roleManagerImpl.roleHasPermission(rolePermissions, morePermissionsRoleMock);
+        boolean result = roleManagerImpl.roleHasPermission(rolePermissions, List.of(rolePermission1Mock, rolePermission2Mock));
 
         Assert.assertFalse(result);
     }
@@ -298,10 +296,10 @@ public class RoleManagerImplTest {
     @Test
     public void roleHasPermissionTestRolePermissionsDeniedApiContainRoleToAccessAllowedApiReturnsFalse() {
         setUpRoleVisibilityTests();
-        rolePermissions.put("api1", Permission.ALLOW);
-        rolePermissions.put("api2", Permission.DENY);
+        rolePermissions.put("api1", rolePermission1Mock);
+        rolePermissions.put("api2", rolePermission2MockWithDeniedPermission);
 
-        boolean result = roleManagerImpl.roleHasPermission(rolePermissions, morePermissionsRoleMock);
+        boolean result = roleManagerImpl.roleHasPermission(rolePermissions, List.of(rolePermission1Mock, rolePermission2Mock));
 
         Assert.assertFalse(result);
     }
@@ -310,11 +308,11 @@ public class RoleManagerImplTest {
     public void getRolePermissionsTestRoleReturnsRolePermissions() {
         setUpRoleVisibilityTests();
 
-        Map<String, Permission> roleRulesAndPermissions = roleManagerImpl.getRoleRulesAndPermissions(morePermissionsRoleMock.getId());
+        Map<String, RolePermissionEntity> roleRulesAndPermissions = roleManagerImpl.getRoleRulesAndPermissions(List.of(rolePermission1Mock, rolePermission2Mock));
 
         Assert.assertEquals(2, roleRulesAndPermissions.size());
-        Assert.assertEquals(roleRulesAndPermissions.get("api1"), Permission.ALLOW);
-        Assert.assertEquals(roleRulesAndPermissions.get("api2"), Permission.ALLOW);
+        Assert.assertEquals(roleRulesAndPermissions.get("api1"), rolePermission1Mock);
+        Assert.assertEquals(roleRulesAndPermissions.get("api2"), rolePermission2Mock);
     }
 
     @Test
diff --git a/server/src/test/java/org/apache/cloudstack/backup/BackupManagerTest.java b/server/src/test/java/org/apache/cloudstack/backup/BackupManagerTest.java
index a9c083228e2..9aba65791a3 100644
--- a/server/src/test/java/org/apache/cloudstack/backup/BackupManagerTest.java
+++ b/server/src/test/java/org/apache/cloudstack/backup/BackupManagerTest.java
@@ -76,6 +76,7 @@ import com.cloud.vm.dao.VMInstanceDao;
 import com.google.gson.Gson;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.command.admin.backup.CloneBackupOfferingCmd;
 import org.apache.cloudstack.api.command.admin.backup.ImportBackupOfferingCmd;
 import org.apache.cloudstack.api.command.admin.backup.UpdateBackupOfferingCmd;
 import org.apache.cloudstack.api.command.user.backup.CreateBackupCmd;
@@ -132,6 +133,7 @@ import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.Mockito.atLeastOnce;
+import org.mockito.ArgumentCaptor;
 
 @RunWith(MockitoJUnitRunner.class)
 public class BackupManagerTest {
@@ -2518,4 +2520,109 @@ public class BackupManagerTest {
         return offering;
     }
 
+    @Test
+    public void testCloneBackupOfferingUsesProvidedDomainIds() {
+        Long sourceOfferingId = 1L;
+        Long zoneId = 10L;
+        Long savedOfferingId = 2L;
+        String externalId = UUID.randomUUID().toString();
+        List<Long> providedDomainIds = List.of(11L);
+
+        // command
+        CloneBackupOfferingCmd cmd = Mockito.mock(CloneBackupOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceOfferingId);
+        when(cmd.getName()).thenReturn("Cloned Offering");
+        when(cmd.getDescription()).thenReturn(null);
+        when(cmd.getExternalId()).thenReturn(null);
+        when(cmd.getUserDrivenBackups()).thenReturn(null);
+        when(cmd.getZoneId()).thenReturn(null);
+        when(cmd.getDomainIds()).thenReturn(providedDomainIds);
+
+        // source offering
+        BackupOfferingVO sourceOffering = Mockito.mock(BackupOfferingVO.class);
+        when(sourceOffering.getZoneId()).thenReturn(zoneId);
+        when(sourceOffering.getExternalId()).thenReturn(externalId);
+        when(sourceOffering.getProvider()).thenReturn("testbackupprovider");
+        when(sourceOffering.getDescription()).thenReturn("src desc");
+        when(sourceOffering.isUserDrivenBackupAllowed()).thenReturn(true);
+        when(sourceOffering.getName()).thenReturn("Source Offering");
+
+        when(backupOfferingDao.findById(sourceOfferingId)).thenReturn(sourceOffering);
+        when(backupOfferingDao.findByName(cmd.getName(), zoneId)).thenReturn(null);
+
+        BackupOfferingVO savedOffering = Mockito.mock(BackupOfferingVO.class);
+        when(savedOffering.getId()).thenReturn(savedOfferingId);
+        when(backupOfferingDao.persist(any(BackupOfferingVO.class))).thenReturn(savedOffering);
+
+        DomainVO domain = Mockito.mock(DomainVO.class);
+        when(domainDao.findById(11L)).thenReturn(domain);
+
+        overrideBackupFrameworkConfigValue();
+
+        BackupOffering result = backupManager.cloneBackupOffering(cmd);
+
+        assertEquals(savedOffering, result);
+
+        ArgumentCaptor<List> captor = ArgumentCaptor.forClass(List.class);
+        verify(backupOfferingDetailsDao, times(1)).saveDetails(captor.capture());
+        List<BackupOfferingDetailsVO> savedDetails = captor.getValue();
+        assertEquals(1, savedDetails.size());
+        assertEquals(String.valueOf(11L), savedDetails.get(0).getValue());
+    }
+
+    @Test
+    public void testCloneBackupOfferingInheritsDomainIdsFromSource() {
+        Long sourceOfferingId = 3L;
+        Long zoneId = 20L;
+        Long savedOfferingId = 4L;
+        List<Long> sourceDomainIds = List.of(21L, 22L);
+
+        CloneBackupOfferingCmd cmd = Mockito.mock(CloneBackupOfferingCmd.class);
+        when(cmd.getSourceOfferingId()).thenReturn(sourceOfferingId);
+        when(cmd.getName()).thenReturn("Cloned Inherit Offering");
+        when(cmd.getDescription()).thenReturn(null);
+        when(cmd.getExternalId()).thenReturn(null);
+        when(cmd.getUserDrivenBackups()).thenReturn(null);
+        when(cmd.getZoneId()).thenReturn(null);
+        // Simulate resolver having provided the source offering domains (the real cmd#getDomainIds() would do this)
+        when(cmd.getDomainIds()).thenReturn(sourceDomainIds);
+
+        BackupOfferingVO sourceOffering = Mockito.mock(BackupOfferingVO.class);
+        when(sourceOffering.getZoneId()).thenReturn(zoneId);
+        when(sourceOffering.getExternalId()).thenReturn("ext-src-2");
+        when(sourceOffering.getProvider()).thenReturn("testbackupprovider");
+        when(sourceOffering.getDescription()).thenReturn("src desc 2");
+        when(sourceOffering.isUserDrivenBackupAllowed()).thenReturn(false);
+        when(sourceOffering.getName()).thenReturn("Source Offering 2");
+
+        when(backupOfferingDao.findById(sourceOfferingId)).thenReturn(sourceOffering);
+        when(backupOfferingDao.findByName(cmd.getName(), zoneId)).thenReturn(null);
+
+        BackupOfferingVO savedOffering = Mockito.mock(BackupOfferingVO.class);
+        when(savedOffering.getId()).thenReturn(savedOfferingId);
+        when(backupOfferingDao.persist(any(BackupOfferingVO.class))).thenReturn(savedOffering);
+
+        // domain handling
+        DomainVO domain21 = Mockito.mock(DomainVO.class);
+        DomainVO domain22 = Mockito.mock(DomainVO.class);
+        when(domainDao.findById(21L)).thenReturn(domain21);
+        when(domainDao.findById(22L)).thenReturn(domain22);
+        when(domainHelper.filterChildSubDomains(sourceDomainIds)).thenReturn(new ArrayList<>(sourceDomainIds));
+
+        overrideBackupFrameworkConfigValue();
+
+        BackupOffering result = backupManager.cloneBackupOffering(cmd);
+        assertEquals(savedOffering, result);
+
+        ArgumentCaptor<List> captor = ArgumentCaptor.forClass(List.class);
+        verify(backupOfferingDetailsDao, times(1)).saveDetails(captor.capture());
+        List<BackupOfferingDetailsVO> savedDetails = captor.getValue();
+        assertEquals(2, savedDetails.size());
+        List<String> values = new ArrayList<>();
+        for (BackupOfferingDetailsVO d : savedDetails) {
+            values.add(d.getValue());
+        }
+        assertTrue(values.contains(String.valueOf(21L)));
+        assertTrue(values.contains(String.valueOf(22L)));
+    }
 }
diff --git a/test/integration/component/test_kubernetes_cluster_affinity_groups.py b/test/integration/component/test_kubernetes_cluster_affinity_groups.py
new file mode 100644
index 00000000000..80450d37bb2
--- /dev/null
+++ b/test/integration/component/test_kubernetes_cluster_affinity_groups.py
@@ -0,0 +1,931 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""Tests for Kubernetes cluster affinity groups feature"""
+
+import unittest
+from marvin.cloudstackTestCase import cloudstackTestCase
+from marvin.cloudstackAPI import (listInfrastructure,
+                                  listKubernetesSupportedVersions,
+                                  addKubernetesSupportedVersion,
+                                  deleteKubernetesSupportedVersion,
+                                  listKubernetesClusters,
+                                  createKubernetesCluster,
+                                  stopKubernetesCluster,
+                                  startKubernetesCluster,
+                                  deleteKubernetesCluster,
+                                  scaleKubernetesCluster,
+                                  destroyVirtualMachine,
+                                  deleteNetwork)
+from marvin.cloudstackException import CloudstackAPIException
+from marvin.lib.base import (ServiceOffering,
+                             Account,
+                             AffinityGroup,
+                             Configurations)
+from marvin.lib.utils import (cleanup_resources,
+                              random_gen)
+from marvin.lib.common import (get_zone,
+                               get_domain)
+from marvin.sshClient import SshClient
+from nose.plugins.attrib import attr
+from marvin.lib.decoratorGenerators import skipTestIf
+
+import time
+
+_multiprocess_shared_ = True
+
+RAND_SUFFIX = random_gen()
+
+
+class TestKubernetesClusterAffinityGroups(cloudstackTestCase):
+    """
+    Tests for CKS Affinity Groups feature (since 4.23.0)
+
+    This feature allows specifying different affinity groups for each
+    Kubernetes node type (CONTROL, WORKER, ETCD).
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        testClient = super(TestKubernetesClusterAffinityGroups, cls).getClsTestClient()
+        if testClient is None:
+            raise unittest.SkipTest("Marvin test client not available - check marvin configuration")
+        cls.apiclient = testClient.getApiClient()
+        cls.services = testClient.getParsedTestDataConfig()
+        cls.zone = get_zone(cls.apiclient, testClient.getZoneForTests())
+        cls.hypervisor = testClient.getHypervisorInfo()
+        cls.mgtSvrDetails = cls.config.__dict__["mgtSvr"][0].__dict__
+
+        cls.hypervisorNotSupported = False
+        if cls.hypervisor.lower() not in ["kvm", "vmware", "xenserver"]:
+            cls.hypervisorNotSupported = True
+
+        cls.setup_failed = False
+        cls._cleanup = []
+        cls.kubernetes_version_ids = []
+        cls.initial_configuration_cks_enabled = None
+
+        cls.k8s_version = cls.services.get("cks_kubernetes_version_upgrade_to",
+                                           cls.services.get("cks_kubernetes_version_upgrade_from"))
+
+        if cls.hypervisorNotSupported == False:
+            cls.endpoint_url = Configurations.list(cls.apiclient, name="endpoint.url")[0].value
+            if "localhost" in cls.endpoint_url:
+                endpoint_url = "http://%s:%d/client/api" % (cls.mgtSvrDetails["mgtSvrIp"], cls.mgtSvrDetails["port"])
+                cls.debug("Setting endpoint.url to %s" % endpoint_url)
+                Configurations.update(cls.apiclient, "endpoint.url", endpoint_url)
+
+            cls.initial_configuration_cks_enabled = Configurations.list(
+                cls.apiclient, name="cloud.kubernetes.service.enabled")[0].value
+            if cls.initial_configuration_cks_enabled not in ["true", True]:
+                cls.debug("Enabling CloudStack Kubernetes Service plugin and restarting management server")
+                Configurations.update(cls.apiclient, "cloud.kubernetes.service.enabled", "true")
+                cls.restartServer()
+
+            cls.cks_service_offering = None
+
+            if cls.setup_failed == False:
+                try:
+                    cls.kubernetes_version = cls.addKubernetesSupportedVersion(
+                        cls.services["cks_kubernetes_versions"][cls.k8s_version])
+                    cls.kubernetes_version_ids.append(cls.kubernetes_version.id)
+                except Exception as e:
+                    cls.setup_failed = True
+                    cls.debug("Failed to get Kubernetes version ISO in ready state: %s" % e)
+
+            if cls.setup_failed == False:
+                cks_offering_data = cls.services["cks_service_offering"]
+                cks_offering_data["name"] = 'CKS-Instance-' + random_gen()
+                cls.cks_service_offering = ServiceOffering.create(
+                    cls.apiclient,
+                    cks_offering_data
+                )
+                cls._cleanup.append(cls.cks_service_offering)
+
+                cls.domain = get_domain(cls.apiclient)
+                cls.account = Account.create(
+                    cls.apiclient,
+                    cls.services["account"],
+                    domainid=cls.domain.id
+                )
+                cls._cleanup.append(cls.account)
+
+        cls.default_network = None
+
+        return
+
+    @classmethod
+    def tearDownClass(cls):
+        # Delete added Kubernetes supported version
+        for version_id in cls.kubernetes_version_ids:
+            try:
+                cls.deleteKubernetesSupportedVersion(version_id)
+            except Exception as e:
+                cls.debug("Error during cleanup for Kubernetes versions: %s" % e)
+
+        # Restore CKS enabled
+        if cls.initial_configuration_cks_enabled not in ["true", True]:
+            cls.debug("Restoring Kubernetes Service enabled value")
+            Configurations.update(cls.apiclient, "cloud.kubernetes.service.enabled", "false")
+            cls.restartServer()
+
+        super(TestKubernetesClusterAffinityGroups, cls).tearDownClass()
+
+    @classmethod
+    def restartServer(cls):
+        """Restart management server"""
+        cls.debug("Restarting management server")
+        sshClient = SshClient(
+            cls.mgtSvrDetails["mgtSvrIp"],
+            22,
+            cls.mgtSvrDetails["user"],
+            cls.mgtSvrDetails["passwd"]
+        )
+        command = "service cloudstack-management stop"
+        sshClient.execute(command)
+
+        command = "service cloudstack-management start"
+        sshClient.execute(command)
+
+        # Wait for management to come up in 5 mins
+        timeout = time.time() + 300
+        while time.time() < timeout:
+            if cls.isManagementUp() is True:
+                return
+            time.sleep(5)
+        cls.setup_failed = True
+        cls.debug("Management server did not come up, failing")
+        return
+
+    @classmethod
+    def isManagementUp(cls):
+        try:
+            cls.apiclient.listInfrastructure(listInfrastructure.listInfrastructureCmd())
+            return True
+        except Exception:
+            return False
+
+    @classmethod
+    def waitForKubernetesSupportedVersionIsoReadyState(cls, version_id, retries=30, interval=60):
+        """Check if Kubernetes supported version ISO is in Ready state"""
+        while retries > 0:
+            time.sleep(interval)
+            list_versions_response = cls.listKubernetesSupportedVersion(version_id)
+            if not hasattr(list_versions_response, 'isostate') or not list_versions_response or not list_versions_response.isostate:
+                retries = retries - 1
+                continue
+            if 'Ready' == list_versions_response.isostate:
+                return
+            elif 'Failed' == list_versions_response.isostate:
+                raise Exception("Failed to download template: status - %s" % list_versions_response.isostate)
+            retries = retries - 1
+        raise Exception("Kubernetes supported version Ready state timed out")
+
+    @classmethod
+    def listKubernetesSupportedVersion(cls, version_id):
+        listKubernetesSupportedVersionsCmd = listKubernetesSupportedVersions.listKubernetesSupportedVersionsCmd()
+        listKubernetesSupportedVersionsCmd.id = version_id
+        versionResponse = cls.apiclient.listKubernetesSupportedVersions(listKubernetesSupportedVersionsCmd)
+        return versionResponse[0]
+
+    @classmethod
+    def addKubernetesSupportedVersion(cls, version_service):
+        addKubernetesSupportedVersionCmd = addKubernetesSupportedVersion.addKubernetesSupportedVersionCmd()
+        addKubernetesSupportedVersionCmd.semanticversion = version_service["semanticversion"]
+        addKubernetesSupportedVersionCmd.name = 'v' + version_service["semanticversion"] + '-' + random_gen()
+        addKubernetesSupportedVersionCmd.url = version_service["url"]
+        addKubernetesSupportedVersionCmd.mincpunumber = version_service["mincpunumber"]
+        addKubernetesSupportedVersionCmd.minmemory = version_service["minmemory"]
+        kubernetes_version = cls.apiclient.addKubernetesSupportedVersion(addKubernetesSupportedVersionCmd)
+        cls.debug("Waiting for Kubernetes version with ID %s to be ready" % kubernetes_version.id)
+        cls.waitForKubernetesSupportedVersionIsoReadyState(kubernetes_version.id)
+        kubernetes_version = cls.listKubernetesSupportedVersion(kubernetes_version.id)
+        return kubernetes_version
+
+    @classmethod
+    def deleteKubernetesSupportedVersion(cls, version_id):
+        deleteKubernetesSupportedVersionCmd = deleteKubernetesSupportedVersion.deleteKubernetesSupportedVersionCmd()
+        deleteKubernetesSupportedVersionCmd.id = version_id
+        cls.apiclient.deleteKubernetesSupportedVersion(deleteKubernetesSupportedVersionCmd)
+
+    @classmethod
+    def listKubernetesCluster(cls, cluster_id=None, cluster_name=None):
+        listKubernetesClustersCmd = listKubernetesClusters.listKubernetesClustersCmd()
+        listKubernetesClustersCmd.listall = True
+        if cluster_id is not None:
+            listKubernetesClustersCmd.id = cluster_id
+        if cluster_name is not None:
+            listKubernetesClustersCmd.name = cluster_name
+        clusterResponse = cls.apiclient.listKubernetesClusters(listKubernetesClustersCmd)
+        if (cluster_id is not None or cluster_name is not None) and clusterResponse is not None:
+            return clusterResponse[0]
+        return clusterResponse
+
+    @classmethod
+    def deleteKubernetesCluster(cls, cluster_id):
+        deleteKubernetesClusterCmd = deleteKubernetesCluster.deleteKubernetesClusterCmd()
+        deleteKubernetesClusterCmd.id = cluster_id
+        response = cls.apiclient.deleteKubernetesCluster(deleteKubernetesClusterCmd)
+        return response
+
+    @classmethod
+    def stopKubernetesCluster(cls, cluster_id):
+        stopKubernetesClusterCmd = stopKubernetesCluster.stopKubernetesClusterCmd()
+        stopKubernetesClusterCmd.id = cluster_id
+        response = cls.apiclient.stopKubernetesCluster(stopKubernetesClusterCmd)
+        return response
+
+    def setUp(self):
+        self.services = self.testClient.getParsedTestDataConfig()
+        self.apiclient = self.testClient.getApiClient()
+        self.dbclient = self.testClient.getDbConnection()
+        self.cleanup = []
+        self.aff_grp = []
+        return
+
+    def tearDown(self):
+        super(TestKubernetesClusterAffinityGroups, self).tearDown()
+
+    def deleteKubernetesClusterAndVerify(self, cluster_id, verify=True, forced=False):
+        """Delete Kubernetes cluster and check if it is really deleted"""
+        delete_response = {}
+        forceDeleted = False
+        try:
+            delete_response = self.deleteKubernetesCluster(cluster_id)
+        except Exception as e:
+            if forced:
+                cluster = self.listKubernetesCluster(cluster_id)
+                if cluster is not None:
+                    if cluster.state in ['Starting', 'Running', 'Upgrading', 'Scaling']:
+                        self.stopKubernetesCluster(cluster_id)
+                        self.deleteKubernetesCluster(cluster_id)
+                    else:
+                        forceDeleted = True
+                        for cluster_vm in cluster.virtualmachines:
+                            cmd = destroyVirtualMachine.destroyVirtualMachineCmd()
+                            cmd.id = cluster_vm.id
+                            cmd.expunge = True
+                            self.apiclient.destroyVirtualMachine(cmd)
+                        cmd = deleteNetwork.deleteNetworkCmd()
+                        cmd.id = cluster.networkid
+                        cmd.forced = True
+                        self.apiclient.deleteNetwork(cmd)
+                        self.dbclient.execute(
+                            "update kubernetes_cluster set state='Destroyed', removed=now() where uuid = '%s';" % cluster.id)
+            else:
+                raise Exception("Error: Exception during delete cluster : %s" % e)
+
+        if verify and not forceDeleted:
+            self.assertEqual(
+                delete_response.success,
+                True,
+                "Check KubernetesCluster delete response {}, {}".format(delete_response.success, True)
+            )
+
+            db_cluster_removed = \
+            self.dbclient.execute("select removed from kubernetes_cluster where uuid = '%s';" % cluster_id)[0][0]
+
+            self.assertNotEqual(
+                db_cluster_removed,
+                None,
+                "KubernetesCluster not removed in DB, {}".format(db_cluster_removed)
+            )
+
+    def create_aff_grp(self, aff_grp_name=None, aff_grp_type="host anti-affinity"):
+        """Create an affinity group"""
+        if aff_grp_name is None:
+            aff_grp_name = "aff_grp_" + random_gen(size=6)
+
+        aff_grp_data = {
+            "name": aff_grp_name,
+            "type": aff_grp_type
+        }
+        aff_grp = AffinityGroup.create(
+            self.apiclient,
+            aff_grp_data,
+            self.account.name,
+            self.domain.id
+        )
+        self.aff_grp.append(aff_grp)
+        self.cleanup.append(aff_grp)
+        return aff_grp
+
+    def createKubernetesCluster(self, name, version_id, size=1, control_nodes=1, etcd_nodes=0,
+                                control_aff_grp=None, worker_aff_grp=None, etcd_aff_grp=None):
+        """Create a Kubernetes cluster with optional affinity groups for each node type"""
+        createKubernetesClusterCmd = createKubernetesCluster.createKubernetesClusterCmd()
+        createKubernetesClusterCmd.name = name
+        createKubernetesClusterCmd.description = name + "-description"
+        createKubernetesClusterCmd.kubernetesversionid = version_id
+        createKubernetesClusterCmd.size = size
+        createKubernetesClusterCmd.controlnodes = control_nodes
+        createKubernetesClusterCmd.serviceofferingid = self.cks_service_offering.id
+        createKubernetesClusterCmd.zoneid = self.zone.id
+        createKubernetesClusterCmd.noderootdisksize = 10
+        createKubernetesClusterCmd.account = self.account.name
+        createKubernetesClusterCmd.domainid = self.domain.id
+
+        if etcd_nodes > 0:
+            createKubernetesClusterCmd.etcdnodes = etcd_nodes
+
+        # Set affinity groups for node types using the nodeaffinitygroups parameter
+        # Format: list of {node: "<NODE_TYPE>", affinitygroup: "<UUID>"}
+        if control_aff_grp is not None:
+            if not hasattr(createKubernetesClusterCmd, 'nodeaffinitygroups'):
+                createKubernetesClusterCmd.nodeaffinitygroups = []
+            createKubernetesClusterCmd.nodeaffinitygroups.append({
+                "node": "CONTROL",
+                "affinitygroup": control_aff_grp.id
+            })
+        if worker_aff_grp is not None:
+            if not hasattr(createKubernetesClusterCmd, 'nodeaffinitygroups'):
+                createKubernetesClusterCmd.nodeaffinitygroups = []
+            createKubernetesClusterCmd.nodeaffinitygroups.append({
+                "node": "WORKER",
+                "affinitygroup": worker_aff_grp.id
+            })
+        if etcd_aff_grp is not None:
+            if not hasattr(createKubernetesClusterCmd, 'nodeaffinitygroups'):
+                createKubernetesClusterCmd.nodeaffinitygroups = []
+            createKubernetesClusterCmd.nodeaffinitygroups.append({
+                "node": "ETCD",
+                "affinitygroup": etcd_aff_grp.id
+            })
+
+        if self.default_network:
+            createKubernetesClusterCmd.networkid = self.default_network.id
+
+        clusterResponse = self.apiclient.createKubernetesCluster(createKubernetesClusterCmd)
+        return clusterResponse
+
+    def startKubernetesCluster(self, cluster_id):
+        startKubernetesClusterCmd = startKubernetesCluster.startKubernetesClusterCmd()
+        startKubernetesClusterCmd.id = cluster_id
+        response = self.apiclient.startKubernetesCluster(startKubernetesClusterCmd)
+        return response
+
+    def scaleKubernetesCluster(self, cluster_id, size):
+        scaleKubernetesClusterCmd = scaleKubernetesCluster.scaleKubernetesClusterCmd()
+        scaleKubernetesClusterCmd.id = cluster_id
+        scaleKubernetesClusterCmd.size = size
+        response = self.apiclient.scaleKubernetesCluster(scaleKubernetesClusterCmd)
+        return response
+
+    def verifyKubernetesClusterState(self, cluster_response, state):
+        """Check if Kubernetes cluster state matches expected state"""
+        self.assertEqual(
+            cluster_response.state,
+            state,
+            "Check KubernetesCluster state {}, expected {}".format(cluster_response.state, state)
+        )
+
+    def verifyKubernetesClusterAffinityGroups(self, cluster, control_aff_grp=None,
+                                               worker_aff_grp=None, etcd_aff_grp=None):
+        """Verify affinity groups are correctly assigned to the cluster"""
+        if control_aff_grp is not None:
+            self.assertEqual(
+                cluster.controlnodeaffinitygroupid,
+                control_aff_grp.id,
+                "Control node affinity group ID mismatch. Expected: {}, Got: {}".format(
+                    control_aff_grp.id, cluster.controlnodeaffinitygroupid)
+            )
+            self.assertEqual(
+                cluster.controlnodeaffinitygroupname,
+                control_aff_grp.name,
+                "Control node affinity group name mismatch. Expected: {}, Got: {}".format(
+                    control_aff_grp.name, cluster.controlnodeaffinitygroupname)
+            )
+        else:
+            self.assertTrue(
+                not hasattr(cluster, 'controlnodeaffinitygroupid') or cluster.controlnodeaffinitygroupid is None,
+                "Control node affinity group should be None"
+            )
+
+        if worker_aff_grp is not None:
+            self.assertEqual(
+                cluster.workernodeaffinitygroupid,
+                worker_aff_grp.id,
+                "Worker node affinity group ID mismatch. Expected: {}, Got: {}".format(
+                    worker_aff_grp.id, cluster.workernodeaffinitygroupid)
+            )
+            self.assertEqual(
+                cluster.workernodeaffinitygroupname,
+                worker_aff_grp.name,
+                "Worker node affinity group name mismatch. Expected: {}, Got: {}".format(
+                    worker_aff_grp.name, cluster.workernodeaffinitygroupname)
+            )
+        else:
+            self.assertTrue(
+                not hasattr(cluster, 'workernodeaffinitygroupid') or cluster.workernodeaffinitygroupid is None,
+                "Worker node affinity group should be None"
+            )
+
+        if etcd_aff_grp is not None:
+            self.assertEqual(
+                cluster.etcdnodeaffinitygroupid,
+                etcd_aff_grp.id,
+                "ETCD node affinity group ID mismatch. Expected: {}, Got: {}".format(
+                    etcd_aff_grp.id, cluster.etcdnodeaffinitygroupid)
+            )
+            self.assertEqual(
+                cluster.etcdnodeaffinitygroupname,
+                etcd_aff_grp.name,
+                "ETCD node affinity group name mismatch. Expected: {}, Got: {}".format(
+                    etcd_aff_grp.name, cluster.etcdnodeaffinitygroupname)
+            )
+        else:
+            self.assertTrue(
+                not hasattr(cluster, 'etcdnodeaffinitygroupid') or cluster.etcdnodeaffinitygroupid is None,
+                "ETCD node affinity group should be None"
+            )
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_01_create_cluster_with_control_node_affinity_group(self):
+        """Test creating a Kubernetes cluster with affinity group for control nodes only
+
+        # Validate the following:
+        # 1. Create an affinity group
+        # 2. Create a Kubernetes cluster with the affinity group for control nodes
+        # 3. Verify cluster is created successfully and affinity group is assigned
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating affinity group for control nodes")
+        control_aff_grp = self.create_aff_grp(aff_grp_name="control-aff-grp-" + random_gen())
+
+        self.debug("Creating Kubernetes cluster with control node affinity group")
+        cluster_name = "cks-aff-grp-control-" + random_gen()
+        try:
+            cluster = self.createKubernetesCluster(
+                cluster_name,
+                self.kubernetes_version.id,
+                size=1,
+                control_nodes=1,
+                control_aff_grp=control_aff_grp
+            )
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+            self.verifyKubernetesClusterAffinityGroups(
+                cluster,
+                control_aff_grp=control_aff_grp,
+                worker_aff_grp=None,
+                etcd_aff_grp=None
+            )
+
+            self.debug("Kubernetes cluster with control node affinity group created successfully")
+        finally:
+            cluster = self.listKubernetesCluster(cluster_name=cluster_name)
+            if cluster is not None:
+                self.deleteKubernetesClusterAndVerify(cluster.id, False, True)
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_02_create_cluster_with_worker_node_affinity_group(self):
+        """Test creating a Kubernetes cluster with affinity group for worker nodes only
+
+        # Validate the following:
+        # 1. Create an affinity group
+        # 2. Create a Kubernetes cluster with the affinity group for worker nodes
+        # 3. Verify cluster is created successfully and affinity group is assigned
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating affinity group for worker nodes")
+        worker_aff_grp = self.create_aff_grp(aff_grp_name="worker-aff-grp-" + random_gen())
+
+        self.debug("Creating Kubernetes cluster with worker node affinity group")
+        cluster_name = "cks-aff-grp-worker-" + random_gen()
+        try:
+            cluster = self.createKubernetesCluster(
+                cluster_name,
+                self.kubernetes_version.id,
+                size=1,
+                control_nodes=1,
+                worker_aff_grp=worker_aff_grp
+            )
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+            self.verifyKubernetesClusterAffinityGroups(
+                cluster,
+                control_aff_grp=None,
+                worker_aff_grp=worker_aff_grp,
+                etcd_aff_grp=None
+            )
+
+            self.debug("Kubernetes cluster with worker node affinity group created successfully")
+        finally:
+            cluster = self.listKubernetesCluster(cluster_name=cluster_name)
+            if cluster is not None:
+                self.deleteKubernetesClusterAndVerify(cluster.id, False, True)
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_03_create_cluster_with_all_node_type_affinity_groups(self):
+        """Test creating a Kubernetes cluster with different affinity groups for all node types
+
+        # Validate the following:
+        # 1. Create separate affinity groups for control, worker, and etcd nodes
+        # 2. Create a Kubernetes cluster with affinity groups for all node types
+        # 3. Verify cluster is created successfully and all affinity groups are assigned
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating affinity groups for all node types")
+        control_aff_grp = self.create_aff_grp(aff_grp_name="control-aff-grp-" + random_gen())
+        worker_aff_grp = self.create_aff_grp(aff_grp_name="worker-aff-grp-" + random_gen())
+        etcd_aff_grp = self.create_aff_grp(aff_grp_name="etcd-aff-grp-" + random_gen())
+
+        self.debug("Creating Kubernetes cluster with affinity groups for all node types")
+        cluster_name = "cks-aff-grp-all-" + random_gen()
+        try:
+            cluster = self.createKubernetesCluster(
+                cluster_name,
+                self.kubernetes_version.id,
+                size=1,
+                control_nodes=1,
+                etcd_nodes=1,
+                control_aff_grp=control_aff_grp,
+                worker_aff_grp=worker_aff_grp,
+                etcd_aff_grp=etcd_aff_grp
+            )
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+            self.verifyKubernetesClusterAffinityGroups(
+                cluster,
+                control_aff_grp=control_aff_grp,
+                worker_aff_grp=worker_aff_grp,
+                etcd_aff_grp=etcd_aff_grp
+            )
+
+            self.debug("Kubernetes cluster with all node type affinity groups created successfully")
+        finally:
+            cluster = self.listKubernetesCluster(cluster_name=cluster_name)
+            if cluster is not None:
+                self.deleteKubernetesClusterAndVerify(cluster.id, False, True)
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_04_create_cluster_with_same_affinity_group_all_node_types(self):
+        """Test creating a Kubernetes cluster with the same affinity group for all node types
+
+        # Validate the following:
+        # 1. Create a single affinity group
+        # 2. Create a Kubernetes cluster using the same affinity group for all node types
+        # 3. Verify cluster is created successfully
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating a single affinity group for all node types")
+        shared_aff_grp = self.create_aff_grp(aff_grp_name="shared-aff-grp-" + random_gen())
+
+        self.debug("Creating Kubernetes cluster with same affinity group for all node types")
+        cluster_name = "cks-aff-grp-shared-" + random_gen()
+        try:
+            cluster = self.createKubernetesCluster(
+                cluster_name,
+                self.kubernetes_version.id,
+                size=1,
+                control_nodes=1,
+                control_aff_grp=shared_aff_grp,
+                worker_aff_grp=shared_aff_grp
+            )
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+            self.verifyKubernetesClusterAffinityGroups(
+                cluster,
+                control_aff_grp=shared_aff_grp,
+                worker_aff_grp=shared_aff_grp,
+                etcd_aff_grp=None
+            )
+
+            self.debug("Kubernetes cluster with shared affinity group created successfully")
+        finally:
+            cluster = self.listKubernetesCluster(cluster_name=cluster_name)
+            if cluster is not None:
+                self.deleteKubernetesClusterAndVerify(cluster.id, False, True)
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_05_scale_cluster_respects_worker_affinity_group(self):
+        """Test that scaling a cluster respects the worker node affinity group
+
+        # Validate the following:
+        # 1. Create a cluster with worker node affinity group
+        # 2. Scale up the cluster
+        # 3. Verify affinity group assignments are preserved after scaling
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating affinity group for worker nodes")
+        worker_aff_grp = self.create_aff_grp(aff_grp_name="worker-aff-grp-" + random_gen())
+
+        self.debug("Creating Kubernetes cluster with worker node affinity group")
+        cluster_name = "cks-aff-grp-scale-" + random_gen()
+        try:
+            cluster = self.createKubernetesCluster(
+                cluster_name,
+                self.kubernetes_version.id,
+                size=1,
+                control_nodes=1,
+                worker_aff_grp=worker_aff_grp
+            )
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+
+            self.debug("Scaling up Kubernetes cluster from 1 to 2 worker nodes")
+            cluster = self.scaleKubernetesCluster(cluster.id, 2)
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+            self.assertEqual(
+                cluster.size,
+                2,
+                "Cluster size should be 2 after scaling up, got {}".format(cluster.size)
+            )
+
+            # Verify affinity group is still assigned after scaling
+            self.verifyKubernetesClusterAffinityGroups(
+                cluster,
+                control_aff_grp=None,
+                worker_aff_grp=worker_aff_grp,
+                etcd_aff_grp=None
+            )
+
+            self.debug("Kubernetes cluster scaled successfully with affinity group preserved")
+        finally:
+            cluster = self.listKubernetesCluster(cluster_name=cluster_name)
+            if cluster is not None:
+                self.deleteKubernetesClusterAndVerify(cluster.id, False, True)
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_06_stop_start_cluster_preserves_affinity_groups(self):
+        """Test that stopping and starting a cluster preserves affinity groups
+
+        # Validate the following:
+        # 1. Create a cluster with affinity groups
+        # 2. Stop the cluster
+        # 3. Start the cluster
+        # 4. Verify affinity groups are preserved
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating affinity groups")
+        control_aff_grp = self.create_aff_grp(aff_grp_name="control-aff-grp-" + random_gen())
+        worker_aff_grp = self.create_aff_grp(aff_grp_name="worker-aff-grp-" + random_gen())
+
+        self.debug("Creating Kubernetes cluster with affinity groups")
+        cluster_name = "cks-aff-grp-lifecycle-" + random_gen()
+        try:
+            cluster = self.createKubernetesCluster(
+                cluster_name,
+                self.kubernetes_version.id,
+                size=1,
+                control_nodes=1,
+                control_aff_grp=control_aff_grp,
+                worker_aff_grp=worker_aff_grp
+            )
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+
+            self.debug("Stopping Kubernetes cluster")
+            self.stopKubernetesCluster(cluster.id)
+
+            cluster = self.listKubernetesCluster(cluster.id)
+            self.assertEqual(
+                cluster.state,
+                'Stopped',
+                "Cluster should be in Stopped state, got {}".format(cluster.state)
+            )
+
+            self.debug("Starting Kubernetes cluster")
+            cluster = self.startKubernetesCluster(cluster.id)
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+
+            # Verify affinity groups are preserved after stop/start
+            self.verifyKubernetesClusterAffinityGroups(
+                cluster,
+                control_aff_grp=control_aff_grp,
+                worker_aff_grp=worker_aff_grp,
+                etcd_aff_grp=None
+            )
+
+            self.debug("Kubernetes cluster stop/start completed with affinity groups preserved")
+        finally:
+            cluster = self.listKubernetesCluster(cluster_name=cluster_name)
+            if cluster is not None:
+                self.deleteKubernetesClusterAndVerify(cluster.id, False, True)
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_07_create_cluster_with_invalid_affinity_group_id(self):
+        """Test creating a cluster with an invalid affinity group ID fails
+
+        # Validate the following:
+        # 1. Attempt to create a cluster with a non-existent affinity group ID
+        # 2. Verify the operation fails with appropriate error
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating Kubernetes cluster with invalid affinity group ID")
+        cluster_name = "cks-aff-grp-invalid-" + random_gen()
+
+        # Create a fake affinity group object with invalid ID
+        class FakeAffinityGroup:
+            def __init__(self):
+                self.id = "invalid-uuid-12345"
+                self.name = "fake-group"
+
+        fake_aff_grp = FakeAffinityGroup()
+
+        with self.assertRaises(Exception) as context:
+            self.createKubernetesCluster(
+                cluster_name,
+                self.kubernetes_version.id,
+                size=1,
+                control_nodes=1,
+                control_aff_grp=fake_aff_grp
+            )
+
+        self.debug("Expected error when creating cluster with invalid affinity group: %s" % context.exception)
+
+        # Clean up any partially created cluster
+        cluster = self.listKubernetesCluster(cluster_name=cluster_name)
+        if cluster is not None:
+            self.deleteKubernetesClusterAndVerify(cluster.id, False, True)
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_08_cluster_response_includes_affinity_group_details(self):
+        """Test that cluster list response includes affinity group details
+
+        # Validate the following:
+        # 1. Create a cluster with affinity groups
+        # 2. List the cluster
+        # 3. Verify response includes affinity group IDs and names
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating affinity groups")
+        control_aff_grp = self.create_aff_grp(aff_grp_name="control-aff-grp-" + random_gen())
+        worker_aff_grp = self.create_aff_grp(aff_grp_name="worker-aff-grp-" + random_gen())
+
+        self.debug("Creating Kubernetes cluster with affinity groups")
+        cluster_name = "cks-aff-grp-response-" + random_gen()
+        try:
+            cluster = self.createKubernetesCluster(
+                cluster_name,
+                self.kubernetes_version.id,
+                size=1,
+                control_nodes=1,
+                control_aff_grp=control_aff_grp,
+                worker_aff_grp=worker_aff_grp
+            )
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+
+            # List the cluster and verify response
+            listed_cluster = self.listKubernetesCluster(cluster.id)
+
+            self.assertIsNotNone(listed_cluster, "Cluster should be listed")
+
+            # Verify control node affinity group in response
+            self.assertTrue(
+                hasattr(listed_cluster, 'controlnodeaffinitygroupid'),
+                "Response should include controlnodeaffinitygroupid"
+            )
+            self.assertTrue(
+                hasattr(listed_cluster, 'controlnodeaffinitygroupname'),
+                "Response should include controlnodeaffinitygroupname"
+            )
+
+            # Verify worker node affinity group in response
+            self.assertTrue(
+                hasattr(listed_cluster, 'workernodeaffinitygroupid'),
+                "Response should include workernodeaffinitygroupid"
+            )
+            self.assertTrue(
+                hasattr(listed_cluster, 'workernodeaffinitygroupname'),
+                "Response should include workernodeaffinitygroupname"
+            )
+
+            # Verify the values match
+            self.verifyKubernetesClusterAffinityGroups(
+                listed_cluster,
+                control_aff_grp=control_aff_grp,
+                worker_aff_grp=worker_aff_grp,
+                etcd_aff_grp=None
+            )
+
+            self.debug("Cluster response includes correct affinity group details")
+        finally:
+            cluster = self.listKubernetesCluster(cluster_name=cluster_name)
+            if cluster is not None:
+                self.deleteKubernetesClusterAndVerify(cluster.id, False, True)
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_09_create_cluster_without_affinity_groups(self):
+        """Test creating a cluster without any affinity groups
+
+        # Validate the following:
+        # 1. Create a cluster without specifying any affinity groups
+        # 2. Verify cluster is created and affinity group fields are null/empty
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating Kubernetes cluster without affinity groups")
+        cluster_name = "cks-no-aff-grp-" + random_gen()
+        try:
+            cluster = self.createKubernetesCluster(
+                cluster_name,
+                self.kubernetes_version.id,
+                size=1,
+                control_nodes=1
+            )
+
+            self.verifyKubernetesClusterState(cluster, 'Running')
+
+            # Verify no affinity groups are assigned
+            self.verifyKubernetesClusterAffinityGroups(
+                cluster,
+                control_aff_grp=None,
+                worker_aff_grp=None,
+                etcd_aff_grp=None
+            )
+
+            self.debug("Kubernetes cluster created successfully without affinity groups")
+        finally:
+            cluster = self.listKubernetesCluster(cluster_name=cluster_name)
+            if cluster is not None:
+                self.deleteKubernetesClusterAndVerify(cluster.id, False, True)
+
+    @attr(tags=["advanced", "smoke"], required_hardware="true")
+    @skipTestIf("hypervisorNotSupported")
+    def test_10_delete_cluster_with_affinity_groups(self):
+        """Test that deleting a cluster with affinity groups works correctly
+
+        # Validate the following:
+        # 1. Create a cluster with affinity groups
+        # 2. Delete the cluster
+        # 3. Verify cluster is deleted and affinity groups still exist
+        """
+        if self.setup_failed:
+            self.fail("Setup incomplete")
+
+        self.debug("Creating affinity groups")
+        control_aff_grp = self.create_aff_grp(aff_grp_name="control-aff-grp-" + random_gen())
+        worker_aff_grp = self.create_aff_grp(aff_grp_name="worker-aff-grp-" + random_gen())
+
+        self.debug("Creating Kubernetes cluster with affinity groups")
+        cluster_name = "cks-aff-grp-delete-" + random_gen()
+        cluster = self.createKubernetesCluster(
+            cluster_name,
+            self.kubernetes_version.id,
+            size=1,
+            control_nodes=1,
+            control_aff_grp=control_aff_grp,
+            worker_aff_grp=worker_aff_grp
+        )
+
+        self.verifyKubernetesClusterState(cluster, 'Running')
+        cluster_id = cluster.id
+
+        self.debug("Deleting Kubernetes cluster")
+        self.deleteKubernetesClusterAndVerify(cluster_id)
+
+        # Verify cluster is deleted
+        deleted_cluster = self.listKubernetesCluster(cluster_id)
+        self.assertIsNone(deleted_cluster, "Cluster should be deleted")
+
+        # Verify affinity groups still exist
+        control_aff_grp_list = AffinityGroup.list(self.apiclient, id=control_aff_grp.id)
+        self.assertIsNotNone(control_aff_grp_list, "Control affinity group should still exist")
+
+        worker_aff_grp_list = AffinityGroup.list(self.apiclient, id=worker_aff_grp.id)
+        self.assertIsNotNone(worker_aff_grp_list, "Worker affinity group should still exist")
+
+        self.debug("Kubernetes cluster deleted successfully, affinity groups preserved")
diff --git a/test/integration/smoke/test_accounts.py b/test/integration/smoke/test_accounts.py
index 209c8431b23..d30f9f39890 100644
--- a/test/integration/smoke/test_accounts.py
+++ b/test/integration/smoke/test_accounts.py
@@ -1744,7 +1744,7 @@ class TestUserAPIKeys(cloudstackTestCase):
             self.apiclient,
             id=self.account_2.id
         )[0].user
-        with self.assertRaises(CloudstackAPIException) as e:
+        with self.assertRaises(Exception) as e:
             User.registerUserKeys(cs_api, users[0].id)
 
 
diff --git a/test/integration/smoke/test_domain_vpc_offerings.py b/test/integration/smoke/test_domain_vpc_offerings.py
index f3d31b2bf7e..9570d35c618 100644
--- a/test/integration/smoke/test_domain_vpc_offerings.py
+++ b/test/integration/smoke/test_domain_vpc_offerings.py
@@ -28,9 +28,16 @@ from marvin.lib.utils import (isAlmostEqual,
 from marvin.lib.base import (Domain,
                              VpcOffering,
                              Account,
-                             VPC)
+                             VPC,
+                             NetworkOffering,
+                             Network,
+                             VirtualMachine,
+                             ServiceOffering,
+                             PublicIPAddress,
+                             NATRule)
 from marvin.lib.common import (get_domain,
-                               get_zone)
+                               get_zone,
+                               get_test_template)
 from nose.plugins.attrib import attr
 
 import time
@@ -222,6 +229,7 @@ class TestDomainsVpcOfferings(cloudstackTestCase):
         cls.apiclient = testClient.getApiClient()
         cls.localservices = Services().services
         cls.services = testClient.getParsedTestDataConfig()
+        cls.hypervisor = cls.testClient.getHypervisorInfo()
         # Create domains
         cls.domain_1 = Domain.create(
             cls.apiclient,
@@ -402,3 +410,158 @@ class TestDomainsVpcOfferings(cloudstackTestCase):
         self.debug("Vpc created for first child subdomain %s" % self.valid_account_3.domainid)
 
         return
+
+    @attr(
+        tags=[
+            "advanced",
+            "eip",
+            "sg",
+            "advancedns",
+            "smoke"],
+        required_hardware="false")
+    def test_04_validate_vpc_offering_conserve_mode_disabled(self):
+        """Test to create and validate vpc with conserve mode disabled for an existing domain specified vpc offering"""
+
+        # Validate the following:
+        # 1. Create Vpc for user in domain for which offering is specified
+        # 2. Validate that conserve mode is disabled for the vpc (cannot reuse ip address on multiple VPC tiers)
+
+        template = get_test_template(
+            self.apiclient,
+            self.zone.id,
+            self.hypervisor)
+        if template == FAILED:
+            assert False, "get_test_template() failed to return template"
+
+        valid_account_1 = Account.create(
+            self.apiclient,
+            self.services["account"],
+            domainid=self.domain_1.id
+        )
+        self.cleanup.append(valid_account_1)
+
+        service_offering = ServiceOffering.create(
+            self.apiclient,
+            self.services["service_offerings"]["tiny"]
+        )
+        self.cleanup.append(service_offering)
+
+        self.services["vpc"]["cidr"] = "10.10.20.0/24"
+        vpc = VPC.create(
+            apiclient=self.apiclient,
+            services=self.services["vpc"],
+            account=valid_account_1.name,
+            domainid=valid_account_1.domainid,
+            zoneid=self.zone.id,
+            vpcofferingid=self.vpc_offering.id
+        )
+        self.debug("Vpc created for subdomain %s" % valid_account_1.domainid)
+
+        self.services["network_offering"]["supportedservices"] = 'Vpn,Dhcp,Dns,SourceNat,Lb,UserData,StaticNat,NetworkACL,PortForwarding'
+        self.services["network_offering"]["serviceProviderList"] = {
+            "Vpn": 'VpcVirtualRouter',
+            "Dhcp": 'VpcVirtualRouter',
+            "Dns": 'VpcVirtualRouter',
+            "SourceNat": 'VpcVirtualRouter',
+            "Lb": 'VpcVirtualRouter',
+            "UserData": 'VpcVirtualRouter',
+            "StaticNat": 'VpcVirtualRouter',
+            "NetworkACL": 'VpcVirtualRouter',
+            "PortForwarding": 'VpcVirtualRouter'
+        }
+        network_offering = NetworkOffering.create(
+            self.apiclient,
+            self.services["network_offering"]
+        )
+        network_offering.update(self.apiclient, state="Enabled")
+        self.cleanup.append(network_offering)
+
+        gateway_tier1 = "10.10.20.1"
+        netmask_tiers = "255.255.255.240"
+
+        self.services["network_offering"]["name"] = "tier1-" + vpc.id
+        self.services["network_offering"]["displayname"] = "tier1-" + vpc.id
+        tier1 = Network.create(
+            self.apiclient,
+            services=self.services["network_offering"],
+            accountid=valid_account_1.name,
+            domainid=valid_account_1.domainid,
+            networkofferingid=network_offering.id,
+            zoneid=self.zone.id,
+            vpcid=vpc.id,
+            gateway=gateway_tier1,
+            netmask=netmask_tiers,
+        )
+
+        gateway_tier2 = "10.10.20.17"
+        self.services["network_offering"]["name"] = "tier2-" + vpc.id
+        self.services["network_offering"]["displayname"] = "tier2-" + vpc.id
+        tier2 = Network.create(
+            self.apiclient,
+            services=self.services["network_offering"],
+            accountid=valid_account_1.name,
+            domainid=valid_account_1.domainid,
+            networkofferingid=network_offering.id,
+            zoneid=self.zone.id,
+            vpcid=vpc.id,
+            gateway=gateway_tier2,
+            netmask=netmask_tiers,
+        )
+
+        self.services["virtual_machine"]["displayname"] = "vm1" + vpc.id
+        vm1 = VirtualMachine.create(
+            self.apiclient,
+            services=self.services["virtual_machine"],
+            templateid=template.id,
+            zoneid=self.zone.id,
+            accountid=valid_account_1.name,
+            domainid=valid_account_1.domainid,
+            serviceofferingid=service_offering.id,
+            networkids=[tier1.id],
+        )
+
+        self.services["virtual_machine"]["displayname"] = "vm2" + vpc.id
+        vm2 = VirtualMachine.create(
+            self.apiclient,
+            services=self.services["virtual_machine"],
+            templateid=template.id,
+            zoneid=self.zone.id,
+            accountid=valid_account_1.name,
+            domainid=valid_account_1.domainid,
+            serviceofferingid=service_offering.id,
+            networkids=[tier2.id],
+        )
+
+        public_ip = PublicIPAddress.create(
+            self.apiclient,
+            zoneid=self.zone.id,
+            accountid=valid_account_1.name,
+            domainid=valid_account_1.domainid,
+            vpcid=vpc.id,
+        )
+
+        nat_rule = NATRule.create(
+            self.apiclient,
+            vm1,
+            self.services["natrule"],
+            ipaddressid=public_ip.ipaddress.id,
+            vpcid=vpc.id,
+            networkid=tier1.id,
+        )
+
+        self.services["natrule"]["privateport"] = 80
+        self.services["natrule"]["publicport"] = 80
+        try:
+            NATRule.create(
+                self.apiclient,
+                vm2,
+                self.services["natrule"],
+                ipaddressid=public_ip.ipaddress.id,
+                vpcid=vpc.id,
+                networkid=tier2.id,
+            )
+            self.fail(
+                "Expected cross-tier rule creation to fail with conserveMode=False, but succeeded"
+            )
+        except CloudstackAPIException as e:
+            self.debug("Expected cross-tier rule creation to failure with conserveMode=False")
diff --git a/test/integration/smoke/test_vpc_conserve_mode.py b/test/integration/smoke/test_vpc_conserve_mode.py
new file mode 100644
index 00000000000..a56953db787
--- /dev/null
+++ b/test/integration/smoke/test_vpc_conserve_mode.py
@@ -0,0 +1,314 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""Tests for VPC Conserve Mode (since 4.23.0)
+
+Conserve mode allows public IP services (LB, Port Forwarding, Static NAT) to be
+shared across multiple VPC tiers using the same public IP address.
+
+When conserve mode is ON:
+  - A single public IP can have rules targeting VMs in different VPC tiers
+  - FirewallManagerImpl skips the cross-network conflict check for that VPC
+
+When conserve mode is OFF (default before 4.23.0):
+  - Rules on a given public IP must all belong to the same VPC tier (network)
+  - Attempting to create a rule on a different tier than an existing rule raises
+    a NetworkRuleConflictException
+"""
+
+from marvin.cloudstackException import CloudstackAPIException
+from marvin.cloudstackTestCase import cloudstackTestCase
+from marvin.codes import FAILED
+from marvin.lib.base import (
+    Account,
+    LoadBalancerRule,
+    NATRule,
+    Network,
+    NetworkOffering,
+    PublicIPAddress,
+    ServiceOffering,
+    VirtualMachine,
+    VPC,
+    VpcOffering,
+)
+from marvin.lib.common import (
+    get_domain,
+    get_test_template,
+    get_zone,
+    list_publicIP
+)
+from marvin.lib.utils import cleanup_resources
+from nose.plugins.attrib import attr
+import logging
+
+class TestVPCConserveModeRules(cloudstackTestCase):
+    """Tests that conserve mode for VPC controls whether rules on the same public IP are allowed in multiple VPC tiers.
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        cls.testClient = super(TestVPCConserveModeRules, cls).getClsTestClient()
+        cls.apiclient = cls.testClient.getApiClient()
+        cls.services = cls.testClient.getParsedTestDataConfig()
+        cls.zone = get_zone(cls.apiclient, cls.testClient.getZoneForTests())
+        cls.domain = get_domain(cls.apiclient)
+        cls.hypervisor = cls.testClient.getHypervisorInfo()
+        cls.logger = logging.getLogger("TestVPCConserveModeRules")
+        cls._cleanup = []
+
+        cls.account = Account.create(
+            cls.apiclient,
+            cls.services["account"],
+            admin=True,
+            domainid=cls.domain.id)
+        cls._cleanup.append(cls.account)
+
+        cls.template = get_test_template(
+            cls.apiclient,
+            cls.zone.id,
+            cls.hypervisor)
+        if cls.template == FAILED:
+            assert False, "get_test_template() failed to return template"
+
+        cls.service_offering = ServiceOffering.create(
+            cls.apiclient,
+            cls.services["service_offerings"]["tiny"]
+        )
+        cls._cleanup.append(cls.service_offering)
+
+        cls.services["vpc_offering"]["supportedservices"] = 'Vpn,Dhcp,Dns,SourceNat,Lb,UserData,StaticNat,NetworkACL,PortForwarding'
+        cls.services["vpc_offering"]["conservemode"] = True
+        cls.vpc_offering_conserve_mode = VpcOffering.create(
+            cls.apiclient,
+            cls.services["vpc_offering"]
+        )
+        cls.vpc_offering_conserve_mode.update(cls.apiclient, state="Enabled")
+        cls._cleanup.append(cls.vpc_offering_conserve_mode)
+
+        cls.services["network_offering"]["supportedservices"] = 'Vpn,Dhcp,Dns,SourceNat,Lb,UserData,StaticNat,NetworkACL,PortForwarding'
+        cls.services["network_offering"]["serviceProviderList"] = {
+            "Vpn": 'VpcVirtualRouter',
+            "Dhcp": 'VpcVirtualRouter',
+            "Dns": 'VpcVirtualRouter',
+            "SourceNat": 'VpcVirtualRouter',
+            "Lb": 'VpcVirtualRouter',
+            "UserData": 'VpcVirtualRouter',
+            "StaticNat": 'VpcVirtualRouter',
+            "NetworkACL": 'VpcVirtualRouter',
+            "PortForwarding": 'VpcVirtualRouter'
+        }
+        cls.network_offering = NetworkOffering.create(
+            cls.apiclient,
+            cls.services["network_offering"],
+            conservemode=True
+        )
+        cls.network_offering.update(cls.apiclient, state="Enabled")
+        cls._cleanup.append(cls.network_offering)
+
+        cls.services["vpc"]["cidr"] = "10.10.20.0/24"
+
+        cls.vpc = VPC.create(
+            cls.apiclient,
+            cls.services["vpc"],
+            vpcofferingid=cls.vpc_offering_conserve_mode.id,
+            zoneid=cls.zone.id,
+            account=cls.account.name,
+            domainid=cls.account.domainid,
+        )
+        cls._cleanup.append(cls.vpc)
+
+        gateway_tier1 = "10.10.20.1"
+        netmask_tiers = "255.255.255.240"
+
+        cls.services["network_offering"]["name"] = "tier1-" + cls.vpc.id
+        cls.services["network_offering"]["displayname"] = "tier1-" + cls.vpc.id
+        cls.tier1 = Network.create(
+            cls.apiclient,
+            services=cls.services["network_offering"],
+            accountid=cls.account.name,
+            domainid=cls.account.domainid,
+            networkofferingid=cls.network_offering.id,
+            zoneid=cls.zone.id,
+            vpcid=cls.vpc.id,
+            gateway=gateway_tier1,
+            netmask=netmask_tiers,
+        )
+        cls._cleanup.append(cls.tier1)
+
+        gateway_tier2 = "10.10.20.17"
+        cls.services["network_offering"]["name"] = "tier2-" + cls.vpc.id
+        cls.services["network_offering"]["displayname"] = "tier2-" + cls.vpc.id
+        cls.tier2 = Network.create(
+            cls.apiclient,
+            services=cls.services["network_offering"],
+            accountid=cls.account.name,
+            domainid=cls.account.domainid,
+            networkofferingid=cls.network_offering.id,
+            zoneid=cls.zone.id,
+            vpcid=cls.vpc.id,
+            gateway=gateway_tier2,
+            netmask=netmask_tiers,
+        )
+        cls._cleanup.append(cls.tier2)
+
+        cls.services["virtual_machine"]["displayname"] = "vm1" + cls.vpc.id
+        cls.vm1 = VirtualMachine.create(
+            cls.apiclient,
+            services=cls.services["virtual_machine"],
+            templateid=cls.template.id,
+            zoneid=cls.zone.id,
+            accountid=cls.account.name,
+            domainid=cls.account.domainid,
+            serviceofferingid=cls.service_offering.id,
+            networkids=[cls.tier1.id],
+        )
+        cls.services["virtual_machine"]["displayname"] = "vm2" + cls.vpc.id
+        cls.vm2 = VirtualMachine.create(
+            cls.apiclient,
+            services=cls.services["virtual_machine"],
+            templateid=cls.template.id,
+            zoneid=cls.zone.id,
+            accountid=cls.account.name,
+            domainid=cls.account.domainid,
+            serviceofferingid=cls.service_offering.id,
+            networkids=[cls.tier2.id],
+        )
+        cls._cleanup.append(cls.vm1)
+        cls._cleanup.append(cls.vm2)
+
+    @classmethod
+    def tearDownClass(cls):
+        super(TestVPCConserveModeRules, cls).tearDownClass()
+
+    def setUp(self):
+        self.apiclient = self.testClient.getApiClient()
+        self.cleanup = []
+
+    def tearDown(self):
+        super(TestVPCConserveModeRules, self).tearDown()
+
+    @attr(tags=["advanced", "advancedns", "smoke"], required_hardware="false")
+    def test_01_vpc_conserve_mode_cross_tier_rules_allowed(self):
+        """With conserveMode=True, LB rule on VPC Tier 1 and Port Forwarding rule on VPC Tier 2 can
+        share the same public IP without a NetworkRuleConflictException.
+        """
+
+        public_ip = PublicIPAddress.create(
+            self.apiclient,
+            zoneid=self.zone.id,
+            accountid=self.account.name,
+            domainid=self.account.domainid,
+            vpcid=self.vpc.id,
+        )
+
+        self.logger.debug(
+            "Creating LB rule on tier-1 (networkid=%s) using public IP %s",
+            self.tier1.id,
+            public_ip.ipaddress.ipaddress,
+        )
+        lb_rule_tier1 = LoadBalancerRule.create(
+            self.apiclient,
+            self.services["lbrule"],
+            ipaddressid=public_ip.ipaddress.id,
+            accountid=self.account.name,
+            vpcid=self.vpc.id,
+            networkid=self.tier1.id,
+            domainid=self.account.domainid,
+        )
+        self.assertIsNotNone(lb_rule_tier1, "LB rule creation on tier-1 failed")
+        lb_rule_tier1.assign(self.apiclient, [self.vm1])
+
+        self.logger.debug(
+            "Creating Port Forwarding rule on tier-2 (networkid=%s) "
+            "using the same public IP %s – should succeed with conserve mode",
+            self.tier2.id,
+            public_ip.ipaddress.ipaddress,
+        )
+        try:
+            nat_rule = NATRule.create(
+                self.apiclient,
+                self.vm2,
+                self.services["natrule"],
+                ipaddressid=public_ip.ipaddress.id,
+                vpcid=self.vpc.id,
+                networkid=self.tier2.id,
+            )
+            self.assertIsNotNone(
+                nat_rule,
+                "Port Forwarding rule creation on tier-2 failed unexpectedly",
+            )
+        except CloudstackAPIException as e:
+            self.fail(
+                "Expected cross-tier Port Forwarding rule to succeed with "
+                "conserveMode=True, but got exception: %s" % e
+            )
+
+    @attr(tags=["advanced", "advancedns", "smoke"], required_hardware="false")
+    def test_02_vpc_conserve_mode_reuse_source_nat_ip_address(self):
+        """With VPC conserve mode enabled, a NAT rule can be created on a VPC tier (conserve mode enabled)
+        with a source NAT IP address
+        """
+        source_nat_ip_resp = list_publicIP(
+            self.apiclient,
+            vpcid=self.vpc.id,
+            listall=True,
+            issourcenat=True
+        )
+
+        source_nat_ip = source_nat_ip_resp[0]
+
+        self.logger.debug(
+            "Creating Port Forwarding rule on tier-2 (networkid=%s) "
+            "using the source NAT public IP %s – should succeed with conserve mode",
+            self.tier1.id,
+            source_nat_ip.ipaddress,
+        )
+        try:
+            nat_rule = NATRule.create(
+                self.apiclient,
+                self.vm2,
+                self.services["natrule"],
+                ipaddressid=source_nat_ip.id,
+                vpcid=self.vpc.id,
+                networkid=self.tier2.id,
+            )
+            self.assertIsNotNone(
+                nat_rule,
+                "Port Forwarding rule creation on tier-2 failed unexpectedly",
+            )
+            self.logger.debug(
+                "Creating LB rule on tier-1 (networkid=%s) "
+                "using the source NAT public IP %s – should succeed with conserve mode",
+                self.tier1.id,
+                source_nat_ip.ipaddress,
+            )
+            lb_rule_tier1 = LoadBalancerRule.create(
+                self.apiclient,
+                self.services["lbrule"],
+                ipaddressid=source_nat_ip.id,
+                accountid=self.account.name,
+                vpcid=self.vpc.id,
+                networkid=self.tier2.id,
+                domainid=self.account.domainid,
+            )
+            self.assertIsNotNone(lb_rule_tier1, "LB rule creation on tier-2 failed")
+            lb_rule_tier1.assign(self.apiclient, [self.vm2])
+        except CloudstackAPIException as e:
+            self.fail(
+                "Expected multiple rules on VPC Source NAT IP to succeed with "
+                "conserveMode=True, but got exception: %s" % e
+            )
diff --git a/tools/marvin/marvin/cloudstackTestClient.py b/tools/marvin/marvin/cloudstackTestClient.py
index 8c5a0d6e612..fb2afc19d2e 100644
--- a/tools/marvin/marvin/cloudstackTestClient.py
+++ b/tools/marvin/marvin/cloudstackTestClient.py
@@ -148,32 +148,24 @@ class CSTestClient(object):
                                         "Client Creation Failed")
                     return FAILED
 
-                getuser_keys = getUserKeys.getUserKeysCmd()
-                getuser_keys.id = list_user_res[0].id
-                getuser_keys_res = self.__apiClient.getUserKeys(getuser_keys)
-                if getuser_keys_res is None :
-                    self.__logger.error("__createApiClient: API "
-                                        "Client Creation Failed")
-                    return FAILED
-
-                api_key = getuser_keys_res.apikey
-                security_key = getuser_keys_res.secretkey
-
                 user_id = list_user_res[0].id
-                if api_key is None:
+                getuser_keys = getUserKeys.getUserKeysCmd()
+                getuser_keys.id = user_id
+                getuser_keys_res = self.__apiClient.getUserKeys(getuser_keys)
+
+                if getuser_keys_res['apikey'] is None:
                     ret = self.__getKeys(user_id)
-                    if ret != FAILED:
-                        mgmt_details.apiKey = ret[0]
-                        mgmt_details.securityKey = ret[1]
-                    else:
+                    if ret == FAILED:
                         self.__logger.error("__createApiClient: API Client "
                                             "Creation Failed while "
                                             "Registering User")
                         return FAILED
+                    mgmt_details.apiKey = ret[0]
+                    mgmt_details.securityKey = ret[1]
                 else:
                     mgmt_details.port = 8080
-                    mgmt_details.apiKey = api_key
-                    mgmt_details.securityKey = security_key
+                    mgmt_details.apiKey = getuser_keys_res['apikey']
+                    mgmt_details.securityKey = getuser_keys_res['secretkey']
                 '''
                 Now Create the Connection objects and Api Client using
                 new details
@@ -216,6 +208,7 @@ class CSTestClient(object):
         try:
             register_user = registerUserKeys.registerUserKeysCmd()
             register_user.id = userid
+            register_user.name = f"keypair-{userid}"
             register_user_res = \
                 self.__apiClient.registerUserKeys(register_user)
             if not register_user_res:
@@ -224,13 +217,13 @@ class CSTestClient(object):
             getuser_keys = getUserKeys.getUserKeysCmd()
             getuser_keys.id = userid
             getuser_keys_res = self.__apiClient.getUserKeys(getuser_keys)
-            if getuser_keys_res is None :
+            if getuser_keys_res is None:
                 self.__logger.error("__createApiClient: API "
-                                "Client Creation Failed")
+                                    "Client Creation Failed")
                 return FAILED
 
-            api_key = getuser_keys_res.apikey
-            security_key = getuser_keys_res.secretkey
+            api_key = getuser_keys_res['apikey']
+            security_key = getuser_keys_res['secretkey']
             return (api_key, security_key)
         except Exception as e:
             self.__logger.exception("Exception Occurred Under __geKeys : "
diff --git a/tools/marvin/marvin/lib/base.py b/tools/marvin/marvin/lib/base.py
index 2405d54162a..636c73209a3 100755
--- a/tools/marvin/marvin/lib/base.py
+++ b/tools/marvin/marvin/lib/base.py
@@ -335,6 +335,7 @@ class User:
     def registerUserKeys(cls, apiclient, userid):
         cmd = registerUserKeys.registerUserKeysCmd()
         cmd.id = userid
+        cmd.name = f"keypair-{userid}"
         return apiclient.registerUserKeys(cmd)
 
     def update(self, apiclient, **kwargs):
@@ -5226,6 +5227,8 @@ class VpcOffering:
             cmd.networkmode = services["networkmode"]
         if "routingmode" in services:
             cmd.routingmode = services["routingmode"]
+        if "conservemode" in services:
+            cmd.conservemode = services["conservemode"]
         return VpcOffering(apiclient.createVPCOffering(cmd).__dict__)
 
     def update(self, apiclient, name=None, displaytext=None, state=None):
diff --git a/ui/README.md b/ui/README.md
index 3f7bcb8120e..c5c5c778e83 100644
--- a/ui/README.md
+++ b/ui/README.md
@@ -180,7 +180,6 @@ The UI uses the following:
 - [Ant Design Vue](https://vue.ant.design/)
 - [Ant Design Pro Vue](https://github.com/sendya/ant-design-pro-vue)
 - [Fontawesome](https://github.com/FortAwesome/vue-fontawesome)
-- [ViserJS](https://viserjs.github.io/docs.html#/viser/guide/installation)
 - [Icons](https://www.iconfinder.com/iconsets/cat-force) by [Iconka](https://iconka.com/en/downloads/cat-power/)
 
 ## History
diff --git a/ui/public/config.json b/ui/public/config.json
index a067803ba7a..3d50f981185 100644
--- a/ui/public/config.json
+++ b/ui/public/config.json
@@ -96,6 +96,7 @@
     ]
   },
   "plugins": [],
+  "allowMakingRouterRedundant": false,
   "apidocs": true,
   "basicZoneEnabled": true,
   "multipleServer": false,
diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
index 8bcc5d0a94b..513dfcdaa36 100644
--- a/ui/public/locales/en.json
+++ b/ui/public/locales/en.json
@@ -256,6 +256,7 @@
 "label.activate.project": "Activate project",
 "label.activeviewersessions": "Active sessions",
 "label.add": "Add",
+"label.addservices": "Add Services",
 "label.add.account": "Add Account",
 "label.add.acl.rule": "Add rule",
 "label.add.acl": "Add ACL",
@@ -566,12 +567,21 @@
 "label.cks.cluster.size": "Cluster size (Worker nodes)",
 "label.cks.cluster.worker.nodes.offeringid": "Service Offering for Worker Nodes",
 "label.cks.cluster.worker.nodes.templateid": "Template for Worker Nodes",
+"label.cks.cluster.control.nodes.affinitygroupid": "Affinity Groups for Control Nodes",
+"label.cks.cluster.worker.nodes.affinitygroupid": "Affinity Groups for Worker Nodes",
+"label.cks.cluster.etcd.nodes.affinitygroupid": "Affinity Groups for ETCD Nodes",
 "label.cleanup": "Clean up",
 "label.clear": "Clear",
 "label.clear.all": "Clear all",
 "label.clear.list": "Clear list",
 "label.clear.notification": "Clear notification",
 "label.clientid": "Provider Client ID",
+"label.clone.backup.offering": "Clone Backup Offering",
+"label.clone.compute.offering": "Clone Compute Offering",
+"label.clone.disk.offering": "Clone Disk Offering",
+"label.clone.network.offering": "Clone Network Offering",
+"label.clone.system.service.offering": "Clone System Service Offering",
+"label.clone.vpc.offering": "Clone VPC Offering",
 "label.close": "Close",
 "label.cloud.managed": "CloudManaged",
 "label.cloudian.admin.password": "Admin Service Password",
@@ -947,6 +957,7 @@
 "label.domains": "Domains",
 "label.done": "Done",
 "label.down": "Down",
+"label.dropservices": "Drop Services",
 "label.download": "Download",
 "label.download.csv": "Download CSV",
 "label.download.kubeconfig.cluster": "Download kubeconfig for the cluster <br><br> The <code><b>kubectl</b></code> command-line tool uses kubeconfig files to find the information it needs to choose a cluster and communicate with the API server of a cluster.",
@@ -2905,6 +2916,9 @@
 "label.edgecluster": "Edge Cluster",
 "label.encryption": "Encryption",
 "label.etcdnodes": "Number of etcd nodes",
+"label.controlaffinitygroupnames": "Control Affinity Groups",
+"label.workeraffinitygroupnames": "Worker Affinity Groups",
+"label.etcdaffinitygroupnames": "ETCD Affinity Groups",
 "label.versioning": "Versioning",
 "label.objectlocking": "Object Lock",
 "label.bucket.policy": "Bucket Policy",
@@ -3261,6 +3275,10 @@
 "message.create.bucket.failed": "Failed to create bucket.",
 "message.create.bucket.processing": "Bucket creation in progress",
 "message.create.compute.offering": "Compute Offering created",
+"message.clone.compute.offering": "Compute Offering cloned",
+"message.clone.service.offering": "Service Offering cloned",
+"message.clone.offering.from": "Cloning from",
+"message.clone.offering.edit.hint": "All values are pre-filled from the source offering. Edit any field to customize the new offering.",
 "message.create.sharedfs.failed": "Failed to create Shared FileSystem.",
 "message.create.sharedfs.processing": "Shared FileSystem creation in progress.",
 "message.create.tungsten.public.network": "Create Tungsten-Fabric public Network",
@@ -3381,6 +3399,9 @@
 "message.disable.webhook.ssl.verification": "Disabling SSL verification is not recommended",
 "message.discovering.feature": "Discovering features, please wait...",
 "message.disk.offering.created": "Disk offering created:",
+"message.success.clone.backup.offering": "Successfully cloned backup offering",
+"message.success.clone.disk.offering": "Successfully cloned disk offering:",
+"message.success.clone.network.offering": "Successfully cloned network offering:",
 "message.disk.usage.info.data.points": "Each data point represents the difference in read/write data since the last data point.",
 "message.disk.usage.info.sum.of.disks": "The disk usage shown is made up of the sum of read/write data from all the disks in the Instance.",
 "message.download.volume": "Please click the link to download the volume:<p><a href=\"#\">00000</a>",
diff --git a/ui/src/components/CheckBoxSelectPair.vue b/ui/src/components/CheckBoxSelectPair.vue
index 480e515be29..a874144458a 100644
--- a/ui/src/components/CheckBoxSelectPair.vue
+++ b/ui/src/components/CheckBoxSelectPair.vue
@@ -74,6 +74,10 @@ export default {
       type: Boolean,
       default: false
     },
+    defaultSelectValue: {
+      type: String,
+      default: null
+    },
     selectOptions: {
       type: Array,
       required: true
@@ -100,6 +104,9 @@ export default {
   },
   created () {
     this.checked = this.defaultCheckBoxValue
+    if (this.defaultSelectValue) {
+      this.selectedOption = this.defaultSelectValue
+    }
   },
   watch: {
     selectOptions () {
diff --git a/ui/src/components/offering/ComputeOfferingForm.vue b/ui/src/components/offering/ComputeOfferingForm.vue
new file mode 100644
index 00000000000..c621324f108
--- /dev/null
+++ b/ui/src/components/offering/ComputeOfferingForm.vue
@@ -0,0 +1,812 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <a-form
+    ref="internalFormRef"
+    :model="form"
+    :rules="rules"
+    @finish="onInternalSubmit"
+    layout="vertical">
+    <a-form-item name="name" ref="name">
+      <template #label>
+        <tooltip-label :title="$t('label.name')" :tooltip="apiParams.name.description"/>
+      </template>
+      <a-input
+        v-focus="true"
+        v-model:value="form.name"
+        :placeholder="$t('label.name')"/>
+    </a-form-item>
+    <a-form-item name="displaytext" ref="displaytext">
+      <template #label>
+        <tooltip-label :title="$t('label.displaytext')" :tooltip="apiParams.displaytext.description"/>
+      </template>
+      <a-input
+        v-model:value="form.displaytext"
+        :placeholder="$t('label.displaytext')"/>
+    </a-form-item>
+    <a-form-item name="systemvmtype" ref="systemvmtype" v-if="isSystem">
+      <template #label>
+        <tooltip-label :title="$t('label.systemvmtype')" :tooltip="apiParams.systemvmtype.description"/>
+      </template>
+      <a-select
+        :getPopupContainer="(trigger) => trigger.parentNode"
+        v-model:value="form.systemvmtype"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => { return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0 }"
+        :placeholder="apiParams.systemvmtype.description">
+        <a-select-option key="domainrouter" :label="$t('label.domain.router')">{{ $t('label.domain.router') }}</a-select-option>
+        <a-select-option key="consoleproxy" :label="$t('label.console.proxy')">{{ $t('label.console.proxy') }}</a-select-option>
+        <a-select-option key="secondarystoragevm" :label="$t('label.secondary.storage.vm')">{{ $t('label.secondary.storage.vm') }}</a-select-option>
+      </a-select>
+    </a-form-item>
+    <a-form-item name="offeringtype" ref="offeringtype" :label="$t('label.offeringtype')" v-show="!isSystem">
+      <a-radio-group
+        v-model:value="form.offeringtype"
+        @change="selected => { handleComputeOfferingTypeChange(selected.target.value) }"
+        buttonStyle="solid">
+        <a-radio-button value="fixed">{{ $t('label.fixed') }}</a-radio-button>
+        <a-radio-button value="customconstrained">{{ $t('label.customconstrained') }}</a-radio-button>
+        <a-radio-button value="customunconstrained">{{ $t('label.customunconstrained') }}</a-radio-button>
+      </a-radio-group>
+    </a-form-item>
+
+    <a-row :gutter="12">
+      <a-col :md="8" :lg="8" v-if="offeringType === 'fixed'">
+        <a-form-item name="cpunumber" ref="cpunumber">
+          <template #label>
+            <tooltip-label :title="$t('label.cpunumber')" :tooltip="apiParams.cpunumber.description"/>
+          </template>
+          <a-input v-model:value="form.cpunumber" :placeholder="apiParams.cpunumber.description"/>
+        </a-form-item>
+      </a-col>
+      <a-col :md="8" :lg="8" v-if="offeringType !== 'customunconstrained'">
+        <a-form-item name="cpuspeed" ref="cpuspeed">
+          <template #label>
+            <tooltip-label :title="$t('label.cpuspeed')" :tooltip="apiParams.cpuspeed.description"/>
+          </template>
+          <a-input v-model:value="form.cpuspeed" :placeholder="apiParams.cpuspeed.description"/>
+        </a-form-item>
+      </a-col>
+      <a-col :md="8" :lg="8" v-if="offeringType === 'fixed'">
+        <a-form-item name="memory" ref="memory">
+          <template #label>
+            <tooltip-label :title="$t('label.memory.mb')" :tooltip="apiParams.memory.description"/>
+          </template>
+          <a-input v-model:value="form.memory" :placeholder="apiParams.memory.description"/>
+        </a-form-item>
+      </a-col>
+    </a-row>
+
+    <!-- The rest of the form fields (storage, QoS, GPU, tags, etc.) were copied
+         from AddComputeOffering.vue to ensure identical behavior. -->
+
+    <a-row :gutter="12" v-if="offeringType === 'customconstrained'">
+      <a-col :md="12" :lg="12">
+        <a-form-item name="mincpunumber" ref="mincpunumber">
+          <template #label>
+            <tooltip-label :title="$t('label.mincpunumber')" :tooltip="apiParams.mincpunumber.description"/>
+          </template>
+          <a-input v-model:value="form.mincpunumber" :placeholder="apiParams.mincpunumber.description"/>
+        </a-form-item>
+      </a-col>
+      <a-col :md="12" :lg="12">
+        <a-form-item name="maxcpunumber" ref="maxcpunumber">
+          <template #label>
+            <tooltip-label :title="$t('label.maxcpunumber')" :tooltip="apiParams.maxcpunumber.description"/>
+          </template>
+          <a-input v-model:value="form.maxcpunumber" :placeholder="apiParams.maxcpunumber.description"/>
+        </a-form-item>
+      </a-col>
+    </a-row>
+
+    <a-row :gutter="12" v-if="offeringType === 'customconstrained'">
+      <a-col :md="12" :lg="12">
+        <a-form-item name="minmemory" ref="minmemory">
+          <template #label>
+            <tooltip-label :title="$t('label.minmemory')" :tooltip="apiParams.minmemory.description"/>
+          </template>
+          <a-input v-model:value="form.minmemory" :placeholder="apiParams.minmemory.description"/>
+        </a-form-item>
+      </a-col>
+      <a-col :md="12" :lg="12">
+        <a-form-item name="maxmemory" ref="maxmemory">
+          <template #label>
+            <tooltip-label :title="$t('label.maxmemory')" :tooltip="apiParams.maxmemory.description"/>
+          </template>
+          <a-input v-model:value="form.maxmemory" :placeholder="apiParams.maxmemory.description"/>
+        </a-form-item>
+      </a-col>
+    </a-row>
+
+    <a-row :gutter="12">
+      <a-col :md="12" :lg="12">
+        <a-form-item v-if="isAdmin() || isDomainAdminAllowedToInformTags" name="hosttags" ref="hosttags">
+          <template #label>
+            <tooltip-label :title="$t('label.hosttags')" :tooltip="apiParams.hosttags.description"/>
+          </template>
+          <a-input v-model:value="form.hosttags" :placeholder="apiParams.hosttags.description"/>
+        </a-form-item>
+      </a-col>
+      <a-col :md="12" :lg="12">
+        <a-form-item name="networkrate" ref="networkrate">
+          <template #label>
+            <tooltip-label :title="$t('label.networkrate')" :tooltip="apiParams.networkrate.description"/>
+          </template>
+          <a-input v-model:value="form.networkrate" :placeholder="apiParams.networkrate.description"/>
+        </a-form-item>
+      </a-col>
+    </a-row>
+
+    <a-row :gutter="12">
+      <a-col :md="12" :lg="12">
+        <a-form-item name="offerha" ref="offerha">
+          <template #label>
+            <tooltip-label :title="$t('label.offerha')" :tooltip="apiParams.offerha.description"/>
+          </template>
+          <a-switch v-model:checked="form.offerha" />
+        </a-form-item>
+      </a-col>
+      <a-col :md="12" :lg="12">
+        <a-form-item name="dynamicscalingenabled" ref="dynamicscalingenabled">
+          <template #label>
+            <tooltip-label :title="$t('label.dynamicscalingenabled')" :tooltip="apiParams.dynamicscalingenabled.description"/>
+          </template>
+          <a-switch v-model:checked="form.dynamicscalingenabled" @change="val => { dynamicscalingenabled = val }"/>
+        </a-form-item>
+      </a-col>
+    </a-row>
+
+    <a-row :gutter="12">
+      <a-col :md="12" :lg="12">
+        <a-form-item name="limitcpuuse" ref="limitcpuuse">
+          <template #label>
+            <tooltip-label :title="$t('label.limitcpuuse')" :tooltip="apiParams.limitcpuuse.description"/>
+          </template>
+          <a-switch v-model:checked="form.limitcpuuse" />
+        </a-form-item>
+      </a-col>
+      <a-col :md="12" :lg="12">
+        <a-form-item v-if="!isSystem" name="isvolatile" ref="isvolatile">
+          <template #label>
+            <tooltip-label :title="$t('label.isvolatile')" :tooltip="apiParams.isvolatile.description"/>
+          </template>
+          <a-switch v-model:checked="form.isvolatile" />
+        </a-form-item>
+      </a-col>
+    </a-row>
+
+    <a-form-item name="deploymentplanner" ref="deploymentplanner" v-if="!isSystem && isAdmin()">
+      <template #label>
+        <tooltip-label :title="$t('label.deploymentplanner')" :tooltip="apiParams.deploymentplanner.description"/>
+      </template>
+      <a-select
+        :getPopupContainer="(trigger) => trigger.parentNode"
+        v-model:value="form.deploymentplanner"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => { return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0 }"
+        :loading="deploymentPlannerLoading"
+        :placeholder="apiParams.deploymentplanner.description"
+        @change="val => { handleDeploymentPlannerChange(val) }">
+        <a-select-option v-for="(opt) in deploymentPlanners" :key="opt.name" :label="opt.name || opt.description || ''">{{ opt.name || opt.description }}</a-select-option>
+      </a-select>
+    </a-form-item>
+
+    <a-form-item name="plannermode" ref="plannermode" :label="$t('label.plannermode')" v-if="plannerModeVisible">
+      <a-radio-group v-model:value="form.plannermode" buttonStyle="solid">
+        <a-radio-button value="">{{ $t('label.none') }}</a-radio-button>
+        <a-radio-button value="strict">{{ $t('label.strict') }}</a-radio-button>
+        <a-radio-button value="Preferred">{{ $t('label.preferred') }}</a-radio-button>
+      </a-radio-group>
+    </a-form-item>
+
+    <a-form-item name="gpucardid" ref="gpucardid" :label="$t('label.gpu.card')" v-if="!isSystem">
+      <a-select
+        v-model:value="form.gpucardid"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => { return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0 }"
+        :loading="gpuCardLoading"
+        :placeholder="$t('label.gpu.card')"
+        @change="handleGpuCardChange">
+        <a-select-option v-for="(opt, optIndex) in gpuCards" :key="optIndex" :value="opt.id" :label="opt.name || opt.description || ''">{{ opt.description || opt.name || '' }}</a-select-option>
+      </a-select>
+    </a-form-item>
+
+    <a-form-item name="vgpuprofile" ref="vgpuprofile" :label="$t('label.vgpu.profile')" v-if="!isSystem && form.gpucardid && vgpuProfiles.length > 0">
+      <a-select
+        v-model:value="form.vgpuprofile"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => { return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0 }"
+        :loading="vgpuProfileLoading"
+        :placeholder="$t('label.vgpu.profile')">
+        <a-select-option v-for="(vgpu, vgpuIndex) in vgpuProfiles" :key="vgpuIndex" :value="vgpu.id" :label="vgpu.vgpuprofile || ''">{{ vgpu.name }} {{ getVgpuProfileDetails(vgpu) }}</a-select-option>
+      </a-select>
+    </a-form-item>
+
+    <a-row :gutter="12" v-if="!isSystem && form.gpucardid">
+      <a-col :md="12" :lg="12">
+        <a-form-item name="gpucount" ref="gpucount">
+          <template #label>
+            <tooltip-label :title="$t('label.gpu.count')" :tooltip="apiParams.gpucount.description"/>
+          </template>
+          <a-input v-model:value="form.gpucount" type="number" min="1" max="16" :placeholder="$t('label.gpu.count')"/>
+        </a-form-item>
+      </a-col>
+      <a-col :md="12" :lg="12">
+        <a-form-item name="gpudisplay" ref="gpudisplay">
+          <template #label>
+            <tooltip-label :title="$t('label.gpu.display')" :tooltip="apiParams.gpudisplay.description"/>
+          </template>
+          <a-switch v-model:checked="form.gpudisplay" />
+        </a-form-item>
+      </a-col>
+    </a-row>
+
+    <a-form-item name="ispublic" ref="ispublic" :label="$t('label.ispublic')" v-show="isAdmin()">
+      <a-switch v-model:checked="form.ispublic" />
+    </a-form-item>
+
+    <a-form-item name="domainid" ref="domainid" v-if="!form.ispublic">
+      <template #label>
+        <tooltip-label :title="$t('label.domainid')" :tooltip="apiParams.domainid.description"/>
+      </template>
+      <a-select
+        mode="multiple"
+        :getPopupContainer="(trigger) => trigger.parentNode"
+        v-model:value="form.domainid"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => { return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0 }"
+        :loading="domainLoading"
+        :placeholder="apiParams.domainid.description">
+        <a-select-option v-for="(opt, optIndex) in domains" :key="optIndex" :label="opt.path || opt.name || opt.description">
+          <span>
+            <resource-icon v-if="opt && opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
+            <block-outlined v-else style="margin-right: 5px" />
+            {{ opt.path || opt.name || opt.description }}
+          </span>
+        </a-select-option>
+      </a-select>
+    </a-form-item>
+
+    <a-form-item name="zoneid" ref="zoneid" v-if="!isSystem">
+      <template #label>
+        <tooltip-label :title="$t('label.zoneid')" :tooltip="apiParams.zoneid.description"/>
+      </template>
+      <a-select
+        id="zone-selection"
+        mode="multiple"
+        :getPopupContainer="(trigger) => trigger.parentNode"
+        v-model:value="form.zoneid"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => { return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0 }"
+        @select="val => fetchvSphereStoragePolicies(val)"
+        :loading="zoneLoading"
+        :placeholder="apiParams.zoneid.description">
+        <a-select-option v-for="(opt, optIndex) in zones" :key="optIndex" :label="opt.name || opt.description">
+          <span>
+            <resource-icon v-if="opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
+            <global-outlined v-else style="margin-right: 5px"/>
+            {{ opt.name || opt.description }}
+          </span>
+        </a-select-option>
+      </a-select>
+    </a-form-item>
+
+    <a-form-item name="storagepolicy" ref="storagepolicy" v-if="'listVsphereStoragePolicies' in $store.getters.apis && storagePolicies !== null">
+      <template #label>
+        <tooltip-label :title="$t('label.vmware.storage.policy')" :tooltip="apiParams.storagepolicy.description"/>
+      </template>
+      <a-select
+        :getPopupContainer="(trigger) => trigger.parentNode"
+        v-model:value="form.storagepolicy"
+        :placeholder="apiParams.storagepolicy.description"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => { return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0 }">
+        <a-select-option v-for="policy in storagePolicies" :key="policy.id" :label="policy.name || policy.id || ''">{{ policy.name || policy.id }}</a-select-option>
+      </a-select>
+    </a-form-item>
+
+    <a-form-item name="purgeresources" ref="purgeresources">
+      <template #label>
+        <tooltip-label :title="$t('label.purgeresources')" :tooltip="apiParams.purgeresources.description"/>
+      </template>
+      <a-switch v-model:checked="form.purgeresources"/>
+    </a-form-item>
+
+    <a-form-item name="showLeaseOptions" ref="showLeaseOptions" v-if="isLeaseFeatureEnabled">
+      <template #label>
+        <tooltip-label :title="$t('label.lease.enable')" :tooltip="$t('label.lease.enable.tooltip')" />
+      </template>
+      <a-switch v-model:checked="showLeaseOptions" @change="onToggleLeaseData"/>
+    </a-form-item>
+
+    <a-row :gutter="12" v-if="isLeaseFeatureEnabled && showLeaseOptions">
+      <a-col :md="12" :lg="12">
+        <a-form-item name="leaseduration" ref="leaseduration">
+          <template #label>
+            <tooltip-label :title="$t('label.leaseduration')"/>
+          </template>
+          <a-input v-model:value="form.leaseduration" :placeholder="$t('label.instance.lease.placeholder')"/>
+        </a-form-item>
+      </a-col>
+      <a-col :md="12" :lg="12">
+        <a-form-item name="leaseexpiryaction" ref="leaseexpiryaction" v-if="form.leaseduration > 0">
+          <template #label>
+            <tooltip-label :title="$t('label.leaseexpiryaction')" />
+          </template>
+          <a-select v-model:value="form.leaseexpiryaction" :defaultValue="expiryActions">
+            <a-select-option v-for="action in expiryActions" :key="action" :label="action"/>
+          </a-select>
+        </a-form-item>
+      </a-col>
+    </a-row>
+
+    <a-form-item name="computeonly" ref="computeonly">
+      <template #label>
+        <tooltip-label :title="$t('label.computeonly.offering')" :tooltip="$t('label.computeonly.offering.tooltip')"/>
+      </template>
+      <a-switch v-model:checked="form.computeonly" :checked="computeonly" @change="val => { computeonly = val }"/>
+    </a-form-item>
+
+    <a-card style="margin-bottom: 10px;">
+      <span v-if="computeonly">
+        <a-form-item name="storagetype" ref="storagetype">
+          <template #label>
+            <tooltip-label :title="$t('label.storagetype')" :tooltip="apiParams.storagetype.description"/>
+          </template>
+          <a-radio-group v-model:value="form.storagetype" buttonStyle="solid" @change="selected => { handleStorageTypeChange(selected.target.value) }">
+            <a-radio-button value="shared">{{ $t('label.shared') }}</a-radio-button>
+            <a-radio-button value="local">{{ $t('label.local') }}</a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item name="provisioningtype" ref="provisioningtype">
+          <template #label>
+            <tooltip-label :title="$t('label.provisioningtype')" :tooltip="apiParams.provisioningtype.description"/>
+          </template>
+          <a-radio-group v-model:value="form.provisioningtype" buttonStyle="solid" @change="selected => { handleProvisioningTypeChange(selected.target.value) }">
+            <a-radio-button value="thin">{{ $t('label.provisioningtype.thin') }}</a-radio-button>
+            <a-radio-button value="sparse">{{ $t('label.provisioningtype.sparse') }}</a-radio-button>
+            <a-radio-button value="fat">{{ $t('label.provisioningtype.fat') }}</a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item name="cachemode" ref="cachemode">
+          <template #label>
+            <tooltip-label :title="$t('label.cachemode')" :tooltip="apiParams.cachemode.description"/>
+          </template>
+          <a-radio-group v-model:value="form.cachemode" buttonStyle="solid" @change="selected => { handleCacheModeChange(selected.target.value) }">
+            <a-radio-button value="none">{{ $t('label.nodiskcache') }}</a-radio-button>
+            <a-radio-button value="writeback">{{ $t('label.writeback') }}</a-radio-button>
+            <a-radio-button value="writethrough">{{ $t('label.writethrough') }}</a-radio-button>
+            <a-radio-button value="hypervisor_default">{{ $t('label.hypervisor.default') }}</a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item :label="$t('label.qostype')" name="qostype" ref="qostype">
+          <a-radio-group v-model:value="form.qostype" buttonStyle="solid" @change="selected => { handleQosTypeChange(selected.target.value) }">
+            <a-radio-button value="">{{ $t('label.none') }}</a-radio-button>
+            <a-radio-button value="hypervisor">{{ $t('label.hypervisor') }}</a-radio-button>
+            <a-radio-button value="storage">{{ $t('label.storage') }}</a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+
+        <a-row :gutter="12" v-if="qosType === 'hypervisor'">
+          <a-col :md="12" :lg="12">
+            <a-form-item name="diskbytesreadrate" ref="diskbytesreadrate">
+              <template #label>
+                <tooltip-label :title="$t('label.diskbytesreadrate')" :tooltip="apiParams.bytesreadrate.description"/>
+              </template>
+              <a-input v-model:value="form.diskbytesreadrate" :placeholder="apiParams.bytesreadrate.description"/>
+            </a-form-item>
+          </a-col>
+          <a-col :md="12" :lg="12">
+            <a-form-item name="diskbyteswriterate" ref="diskbyteswriterate">
+              <template #label>
+                <tooltip-label :title="$t('label.diskbyteswriterate')" :tooltip="apiParams.byteswriterate.description"/>
+              </template>
+              <a-input v-model:value="form.diskbyteswriterate" :placeholder="apiParams.byteswriterate.description"/>
+            </a-form-item>
+          </a-col>
+        </a-row>
+
+        <a-row :gutter="12" v-if="qosType === 'hypervisor'">
+          <a-col :md="12" :lg="12">
+            <a-form-item name="diskiopsreadrate" ref="diskiopsreadrate">
+              <template #label>
+                <tooltip-label :title="$t('label.diskiopsreadrate')" :tooltip="apiParams.iopsreadrate.description"/>
+              </template>
+              <a-input v-model:value="form.diskiopsreadrate" :placeholder="apiParams.iopsreadrate.description"/>
+            </a-form-item>
+          </a-col>
+          <a-col :md="12" :lg="12">
+            <a-form-item name="diskiopswriterate" ref="diskiopswriterate">
+              <template #label>
+                <tooltip-label :title="$t('label.diskiopswriterate')" :tooltip="apiParams.iopswriterate.description"/>
+              </template>
+              <a-input v-model:value="form.diskiopswriterate" :placeholder="apiParams.iopswriterate.description"/>
+            </a-form-item>
+          </a-col>
+        </a-row>
+
+        <a-form-item v-if="!isSystem && qosType === 'storage'" name="iscustomizeddiskiops" ref="iscustomizeddiskiops">
+          <template #label>
+            <tooltip-label :title="$t('label.iscustomizeddiskiops')" :tooltip="apiParams.customizediops.description"/>
+          </template>
+          <a-switch v-model:checked="form.iscustomizeddiskiops" :checked="isCustomizedDiskIops" @change="val => { isCustomizedDiskIops = val }" />
+        </a-form-item>
+
+        <a-row :gutter="12" v-if="qosType === 'storage' && !isCustomizedDiskIops">
+          <a-col :md="12" :lg="12">
+            <a-form-item name="diskiopsmin" ref="diskiopsmin">
+              <template #label>
+                <tooltip-label :title="$t('label.diskiopsmin')" :tooltip="apiParams.miniops.description"/>
+              </template>
+              <a-input v-model:value="form.diskiopsmin" :placeholder="apiParams.miniops.description"/>
+            </a-form-item>
+          </a-col>
+          <a-col :md="12" :lg="12">
+            <a-form-item name="diskiopsmax" ref="diskiopsmax">
+              <template #label>
+                <tooltip-label :title="$t('label.diskiopsmax')" :tooltip="apiParams.maxiops.description"/>
+              </template>
+              <a-input v-model:value="form.diskiopsmax" :placeholder="apiParams.maxiops.description"/>
+            </a-form-item>
+          </a-col>
+        </a-row>
+
+        <a-form-item v-if="!isSystem && qosType === 'storage'" name="hypervisorsnapshotreserve" ref="hypervisorsnapshotreserve">
+          <template #label>
+            <tooltip-label :title="$t('label.hypervisorsnapshotreserve')" :tooltip="apiParams.hypervisorsnapshotreserve.description"/>
+          </template>
+          <a-input v-model:value="form.hypervisorsnapshotreserve" :placeholder="apiParams.hypervisorsnapshotreserve.description"/>
+        </a-form-item>
+
+        <a-row :gutter="12">
+          <a-col :md="12" :lg="12">
+            <a-form-item v-if="apiParams.rootdisksize" name="rootdisksize" ref="rootdisksize">
+              <template #label>
+                <tooltip-label :title="$t('label.root.disk.size')" :tooltip="apiParams.rootdisksize.description"/>
+              </template>
+              <a-input v-model:value="form.rootdisksize" :placeholder="apiParams.rootdisksize.description"/>
+            </a-form-item>
+          </a-col>
+          <a-col :md="12" :lg="12">
+            <a-form-item v-if="isAdmin() || isDomainAdminAllowedToInformTags" name="storagetags" ref="storagetags">
+              <template #label>
+                <tooltip-label :title="$t('label.storagetags')" :tooltip="apiParams.tags.description"/>
+              </template>
+              <a-select
+                mode="tags"
+                :getPopupContainer="(trigger) => trigger.parentNode"
+                v-model:value="form.storagetags"
+                showSearch
+                optionFilterProp="value"
+                :filterOption="(input, option) => { return option.value.toLowerCase().indexOf(input.toLowerCase()) >= 0 }"
+                :loading="storageTagLoading"
+                :placeholder="apiParams.tags.description"
+                v-if="isAdmin() || isDomainAdminAllowedToInformTags">
+                <a-select-option v-for="opt in storageTags" :key="opt">{{ opt }}</a-select-option>
+              </a-select>
+            </a-form-item>
+          </a-col>
+        </a-row>
+
+        <a-form-item name="encryptdisk" ref="encryptdisk">
+          <template #label>
+            <tooltip-label :title="$t('label.encrypt')" :tooltip="apiParams.encryptroot.description" />
+          </template>
+          <a-switch v-model:checked="form.encryptdisk" :checked="encryptdisk" @change="val => { encryptdisk = val }" />
+        </a-form-item>
+      </span>
+      <span v-if="!computeonly">
+        <a-form-item>
+          <a-button type="primary" @click="addDiskOffering()"> {{ $t('label.add.disk.offering') }} </a-button>
+          <a-modal
+            :visible="showDiskOfferingModal"
+            :title="$t('label.add.disk.offering')"
+            :footer="null"
+            centered
+            :closable="true"
+            @cancel="closeDiskOfferingModal"
+            width="auto">
+            <add-disk-offering @close-action="closeDiskOfferingModal()" @publish-disk-offering-id="($event) => updateSelectedDiskOffering($event)"/>
+          </a-modal>
+          <br /><br />
+          <a-form-item :label="$t('label.disk.offerings')" name="diskofferingid" ref="diskofferingid">
+            <a-select :getPopupContainer="(trigger) => trigger.parentNode" v-model:value="form.diskofferingid" :loading="loading" :placeholder="$t('label.diskoffering')">
+              <a-select-option v-for="(offering, index) in diskOfferings" :value="offering.id" :key="index">{{ offering.displaytext || offering.name }}</a-select-option>
+            </a-select>
+          </a-form-item>
+        </a-form-item>
+      </span>
+      <a-form-item name="diskofferingstrictness" ref="diskofferingstrictness">
+        <template #label>
+          <tooltip-label :title="$t('label.diskofferingstrictness')" :tooltip="apiParams.diskofferingstrictness.description"/>
+        </template>
+        <a-switch v-model:checked="form.diskofferingstrictness" :checked="diskofferingstrictness" @change="val => { diskofferingstrictness = val }"/>
+      </a-form-item>
+    </a-card>
+
+    <a-form-item name="externaldetails" ref="externaldetails">
+      <template #label>
+        <tooltip-label :title="$t('label.externaldetails')" :tooltip="apiParams.externaldetails.description"/>
+      </template>
+      <a-switch v-model:checked="externalDetailsEnabled" @change="onExternalDetailsEnabledChange"/>
+      <a-card v-if="externalDetailsEnabled" style="margin-top: 10px">
+        <div style="margin-bottom: 10px">{{ $t('message.add.orchestrator.resource.details') }}</div>
+        <details-input v-model:value="form.externaldetails" />
+      </a-card>
+    </a-form-item>
+
+    <slot name="form-actions"></slot>
+  </a-form>
+</template>
+
+<script>
+import { reactive, toRaw } from 'vue'
+import { getAPI } from '@/api'
+import AddDiskOffering from '@/views/offering/AddDiskOffering'
+import { isAdmin } from '@/role'
+import { mixinForm } from '@/utils/mixin'
+import ResourceIcon from '@/components/view/ResourceIcon'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
+import DetailsInput from '@/components/widgets/DetailsInput'
+import store from '@/store'
+
+export default {
+  name: 'ComputeOfferingForm',
+  mixins: [mixinForm],
+  components: {
+    AddDiskOffering,
+    ResourceIcon,
+    TooltipLabel,
+    DetailsInput
+  },
+  props: {
+    initialValues: {
+      type: Object,
+      default: () => ({})
+    },
+    apiParams: {
+      type: Object,
+      default: () => ({})
+    },
+    isSystem: {
+      type: Boolean,
+      default: false
+    },
+    isAdmin: {
+      type: Function,
+      default: () => false
+    }
+  },
+  data () {
+    return {
+      internalFormRef: null,
+      form: reactive(Object.assign({
+        systemvmtype: 'domainrouter',
+        offeringtype: 'fixed',
+        ispublic: true,
+        dynamicscalingenabled: true,
+        plannermode: '',
+        gpucardid: '',
+        vgpuprofile: '',
+        gpucount: '1',
+        gpudisplay: false,
+        computeonly: true,
+        storagetype: 'shared',
+        provisioningtype: 'thin',
+        cachemode: 'none',
+        qostype: '',
+        iscustomizeddiskiops: false,
+        diskofferingid: null,
+        diskofferingstrictness: false,
+        encryptdisk: false,
+        leaseduration: undefined,
+        leaseexpiryaction: undefined
+      }, this.initialValues || {})),
+      rules: reactive({}),
+      // other UI state copied
+      storageType: 'shared',
+      provisioningType: 'thin',
+      cacheMode: 'none',
+      offeringType: 'fixed',
+      isCustomizedDiskIops: false,
+      isPublic: true,
+      domains: [],
+      domainLoading: false,
+      zones: [],
+      zoneLoading: false,
+      selectedDeploymentPlanner: null,
+      storagePolicies: null,
+      storageTags: [],
+      storageTagLoading: false,
+      deploymentPlanners: [],
+      deploymentPlannerLoading: false,
+      plannerModeVisible: false,
+      plannerMode: '',
+      selectedGpuCard: '',
+      showDiskOfferingModal: false,
+      gpuCardLoading: false,
+      gpuCards: [],
+      loading: false,
+      dynamicscalingenabled: true,
+      diskofferingstrictness: false,
+      encryptdisk: false,
+      computeonly: true,
+      diskOfferingLoading: false,
+      diskOfferings: [],
+      selectedDiskOfferingId: '',
+      qosType: '',
+      isDomainAdminAllowedToInformTags: false,
+      isLeaseFeatureEnabled: this.$store.getters.features.instanceleaseenabled,
+      showLeaseOptions: false,
+      expiryActions: ['STOP', 'DESTROY'],
+      defaultLeaseDuration: 90,
+      defaultLeaseExpiryAction: 'STOP',
+      leaseduration: undefined,
+      leaseexpiryaction: undefined,
+      vgpuProfiles: [],
+      vgpuProfileLoading: false,
+      externalDetailsEnabled: false
+    }
+  },
+  created () {
+    this.zones = [{ id: null, name: this.$t('label.all.zone') }]
+    this.initForm()
+    this.fetchData()
+    this.isPublic = isAdmin()
+    this.form.ispublic = this.isPublic
+  },
+  methods: {
+    initForm () {
+      this.formRef = this.$refs.internalFormRef
+      this.rules = reactive({
+        name: [{ required: true, message: this.$t('message.error.required.input') }]
+      })
+    },
+    fetchData () {
+      this.fetchDomainData()
+      this.fetchZoneData()
+      this.fetchGPUCards()
+      if (isAdmin()) {
+        this.fetchStorageTagData()
+        this.fetchDeploymentPlannerData()
+      } else if (this.isDomainAdmin()) {
+        this.checkIfDomainAdminIsAllowedToInformTag()
+        if (this.isDomainAdminAllowedToInformTags) {
+          this.fetchStorageTagData()
+        }
+      }
+      this.fetchDiskOfferings()
+    },
+    fetchGPUCards () {
+      this.gpuCardLoading = true
+      getAPI('listGpuCards', {
+      }).then(json => {
+        this.gpuCards = json.listgpucardsresponse.gpucard || []
+        this.gpuCards.unshift({ id: '', name: this.$t('label.none') })
+      }).finally(() => {
+        this.gpuCardLoading = false
+      })
+    },
+    addDiskOffering () { this.showDiskOfferingModal = true },
+    fetchDiskOfferings () {
+      this.diskOfferingLoading = true
+      getAPI('listDiskOfferings', { listall: true }).then(json => {
+        this.diskOfferings = json.listdiskofferingsresponse.diskoffering || []
+        if (this.selectedDiskOfferingId === '') {
+          this.selectedDiskOfferingId = this.diskOfferings[0]?.id || ''
+        }
+      }).finally(() => { this.diskOfferingLoading = false })
+    },
+    updateSelectedDiskOffering (id) { if (id) this.selectedDiskOfferingId = id },
+    closeDiskOfferingModal () { this.fetchDiskOfferings(); this.showDiskOfferingModal = false },
+    isDomainAdmin () {
+      return ['DomainAdmin'].includes(this.$store.getters.userInfo.roletype)
+    },
+    getVgpuProfileDetails (vgpuProfile) {
+      let output = '('
+      if (vgpuProfile?.videoram) output += `${vgpuProfile.videoram} MB`
+      if (vgpuProfile?.maxresolutionx && vgpuProfile?.maxresolutiony) {
+        if (output !== '(') output += ', '
+        output += `${vgpuProfile.maxresolutionx}x${vgpuProfile.maxresolutiony}`
+      }
+      output += ')'
+      return output === '()' ? '' : output
+    },
+    checkIfDomainAdminIsAllowedToInformTag () {
+      const params = { id: store.getters.userInfo.accountid }
+      getAPI('isAccountAllowedToCreateOfferingsWithTags', params).then(json => {
+        this.isDomainAdminAllowedToInformTags = json.isaccountallowedtocreateofferingswithtagsresponse.isallowed.isallowed
+      })
+    },
+    arrayHasItems (array) { return array !== null && array !== undefined && Array.isArray(array) && array.length > 0 },
+    fetchDomainData () {
+      const params = { listAll: true, showicon: true, details: 'min' }
+      this.domainLoading = true
+      getAPI('listDomains', params).then(json => {
+        const listDomains = json.listdomainsresponse.domain
+        this.domains = this.domains.concat(listDomains)
+      }).finally(() => { this.domainLoading = false })
+    },
+    fetchZoneData () {
+      const params = { showicon: true }
+      this.zoneLoading = true
+      getAPI('listZones', params).then(json => {
+        const listZones = json.listzonesresponse.zone
+        if (listZones) this.zones = this.zones.concat(listZones)
+      }).finally(() => { this.zoneLoading = false })
+    },
+    fetchStorageTagData () {
+      this.storageTagLoading = true
+      this.storageTags = []
+      getAPI('listStorageTags').then(json => {
+        const tags = json.liststoragetagsresponse.storagetag || []
+        for (const tag of tags) if (!this.storageTags.includes(tag.name)) this.storageTags.push(tag.name)
+      }).finally(() => { this.storageTagLoading = false })
+    },
+    fetchDeploymentPlannerData () {
+      this.deploymentPlannerLoading = true
+      getAPI('listDeploymentPlanners').then(json => {
+        const planners = json.listdeploymentplannersresponse.deploymentPlanner
+        this.deploymentPlanners = this.deploymentPlanners.concat(planners)
+        this.deploymentPlanners.unshift({ name: '' })
+        this.form.deploymentplanner = this.deploymentPlanners.length > 0 ? this.deploymentPlanners[0].name : ''
+      }).finally(() => { this.deploymentPlannerLoading = false })
+    },
+    fetchvSphereStoragePolicies (zoneIndex) {
+      if (zoneIndex === 0 || this.form.zoneid.length > 1) { this.storagePolicies = null; return }
+      const zoneid = this.zones[zoneIndex].id
+      if ('importVsphereStoragePolicies' in this.$store.getters.apis) {
+        this.storagePolicies = []
+        getAPI('listVsphereStoragePolicies', { zoneid }).then(response => { this.storagePolicies = response.listvspherestoragepoliciesresponse.StoragePolicy || [] })
+      }
+    },
+    handleStorageTypeChange (val) { this.storageType = val },
+    handleProvisioningTypeChange (val) { this.provisioningType = val },
+    handleCacheModeChange (val) { this.cacheMode = val },
+    handleComputeOfferingTypeChange (val) { this.offeringType = val },
+    handleQosTypeChange (val) { this.qosType = val },
+    handleDeploymentPlannerChange (planner) { this.selectedDeploymentPlanner = planner; this.plannerModeVisible = false; if (this.selectedDeploymentPlanner === 'ImplicitDedicationPlanner') this.plannerModeVisible = isAdmin() },
+    handleGpuCardChange (cardId) { this.selectedGpuCard = cardId; this.form.vgpuprofile = ''; if (cardId && cardId !== '') this.fetchVgpuProfiles(cardId); else { this.vgpuProfiles = []; this.form.gpucount = '1' } },
+    fetchVgpuProfiles (gpuCardId) { this.vgpuProfileLoading = true; this.vgpuProfiles = []; getAPI('listVgpuProfiles', { gpucardid: gpuCardId }).then(json => { this.vgpuProfiles = json.listvgpuprofilesresponse.vgpuprofile || []; this.form.vgpuprofile = this.vgpuProfiles.length > 0 ? this.vgpuProfiles[0].id : '' }).catch(() => { this.vgpuProfiles = [] }).finally(() => { this.vgpuProfileLoading = false }) },
+    onExternalDetailsEnabledChange (val) { if (val || !this.form.externaldetails) return; this.form.externaldetails = undefined },
+    onToggleLeaseData () { if (this.showLeaseOptions === false) { this.leaseduration = undefined; this.leaseexpiryaction = undefined } else { this.leaseduration = this.leaseduration !== undefined ? this.leaseduration : this.defaultLeaseDuration; this.leaseexpiryaction = this.leaseexpiryaction !== undefined ? this.leaseexpiryaction : this.defaultLeaseExpiryAction } this.form.leaseduration = this.leaseduration; this.form.leaseexpiryaction = this.leaseexpiryaction },
+
+    validate () {
+      return this.$refs.internalFormRef.validate().then(() => {
+        const formRaw = toRaw(this.form)
+        const values = this.handleRemoveFields(formRaw)
+        return values
+      })
+    },
+    onInternalSubmit (e) {
+      // When internal form triggers submit, validate and emit
+      this.validate().then(values => this.$emit('submit', values))
+    }
+  }
+}
+</script>
+
+<style scoped>
+</style>
diff --git a/ui/src/components/offering/DiskOfferingForm.vue b/ui/src/components/offering/DiskOfferingForm.vue
new file mode 100644
index 00000000000..f3f39647fef
--- /dev/null
+++ b/ui/src/components/offering/DiskOfferingForm.vue
@@ -0,0 +1,507 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <a-form
+    ref="internalFormRef"
+    :model="form"
+    :rules="rules"
+    @finish="onInternalSubmit"
+    layout="vertical">
+    <a-form-item name="name" ref="name">
+      <template #label>
+        <tooltip-label :title="$t('label.name')" :tooltip="apiParams.name.description"/>
+      </template>
+      <a-input
+        v-focus="true"
+        v-model:value="form.name"
+        :placeholder="apiParams.name.description"/>
+    </a-form-item>
+    <a-form-item name="displaytext" ref="displaytext">
+      <template #label>
+        <tooltip-label :title="$t('label.displaytext')" :tooltip="apiParams.displaytext.description"/>
+      </template>
+      <a-input
+        v-model:value="form.displaytext"
+        :placeholder="apiParams.displaytext.description"/>
+    </a-form-item>
+    <a-form-item name="storagetype" ref="storagetype">
+      <template #label>
+        <tooltip-label :title="$t('label.storagetype')" :tooltip="apiParams.storagetype.description"/>
+      </template>
+      <a-radio-group
+        v-model:value="form.storagetype"
+        buttonStyle="solid">
+        <a-radio-button value="shared">
+          {{ $t('label.shared') }}
+        </a-radio-button>
+        <a-radio-button value="local">
+          {{ $t('label.local') }}
+        </a-radio-button>
+      </a-radio-group>
+    </a-form-item>
+    <a-form-item name="provisioningtype" ref="provisioningtype">
+      <template #label>
+        <tooltip-label :title="$t('label.provisioningtype')" :tooltip="apiParams.provisioningtype.description"/>
+      </template>
+      <a-radio-group
+        v-model:value="form.provisioningtype"
+        buttonStyle="solid">
+        <a-radio-button value="thin">
+          {{ $t('label.provisioningtype.thin') }}
+        </a-radio-button>
+        <a-radio-button value="sparse">
+          {{ $t('label.provisioningtype.sparse') }}
+        </a-radio-button>
+        <a-radio-button value="fat">
+          {{ $t('label.provisioningtype.fat') }}
+        </a-radio-button>
+      </a-radio-group>
+    </a-form-item>
+    <a-form-item name="encryptdisk" ref="encryptdisk">
+      <template #label>
+        <tooltip-label :title="$t('label.encrypt')" :tooltip="apiParams.encrypt.description" />
+      </template>
+      <a-switch v-model:checked="form.encryptdisk" :checked="encryptdisk" @change="val => { encryptdisk = val }" />
+    </a-form-item>
+    <a-form-item name="disksizestrictness" ref="disksizestrictness">
+      <template #label>
+        <tooltip-label :title="$t('label.disksizestrictness')" :tooltip="apiParams.disksizestrictness.description" />
+      </template>
+      <a-switch v-model:checked="form.disksizestrictness" :checked="disksizestrictness" @change="val => { disksizestrictness = val }" />
+    </a-form-item>
+    <a-form-item name="customdisksize" ref="customdisksize">
+      <template #label>
+        <tooltip-label :title="$t('label.customdisksize')" :tooltip="apiParams.customized.description"/>
+      </template>
+      <a-switch v-model:checked="form.customdisksize" />
+    </a-form-item>
+    <a-form-item v-if="!form.customdisksize" name="disksize" ref="disksize">
+      <template #label>
+        <tooltip-label :title="$t('label.disksize')" :tooltip="apiParams.disksize.description"/>
+      </template>
+      <a-input
+        v-model:value="form.disksize"
+        :placeholder="apiParams.disksize.description"/>
+    </a-form-item>
+    <a-form-item name="qostype" ref="qostype" :label="$t('label.qostype')">
+      <a-radio-group
+        v-model:value="form.qostype"
+        buttonStyle="solid">
+        <a-radio-button value="">
+          {{ $t('label.none') }}
+        </a-radio-button>
+        <a-radio-button value="hypervisor">
+          {{ $t('label.hypervisor') }}
+        </a-radio-button>
+        <a-radio-button value="storage">
+          {{ $t('label.storage') }}
+        </a-radio-button>
+      </a-radio-group>
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'hypervisor'" name="diskbytesreadrate" ref="diskbytesreadrate">
+      <template #label>
+        <tooltip-label :title="$t('label.diskbytesreadrate')" :tooltip="apiParams.bytesreadrate.description"/>
+      </template>
+      <a-input
+        v-model:value="form.diskbytesreadrate"
+        :placeholder="apiParams.bytesreadrate.description"/>
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'hypervisor'" name="diskbytesreadratemax" ref="diskbytesreadratemax">
+      <template #label>
+        <tooltip-label :title="$t('label.diskbytesreadratemax')" :tooltip="apiParams.bytesreadratemax.description"/>
+      </template>
+      <a-input
+        v-model:value="form.diskbytesreadratemax"
+        :placeholder="apiParams.bytesreadratemax.description"/>
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'hypervisor'" name="diskbyteswriterate" ref="diskbyteswriterate">
+      <template #label>
+        <tooltip-label :title="$t('label.diskbyteswriterate')" :tooltip="apiParams.byteswriterate.description"/>
+      </template>
+      <a-input
+        v-model:value="form.diskbyteswriterate"
+        :placeholder="apiParams.byteswriterate.description"/>
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'hypervisor'" name="diskbyteswriteratemax" ref="diskbyteswriteratemax">
+      <template #label>
+        <tooltip-label :title="$t('label.diskbyteswriteratemax')" :tooltip="apiParams.byteswriteratemax.description"/>
+      </template>
+      <a-input
+        v-model:value="form.diskbyteswriteratemax"
+        :placeholder="apiParams.byteswriteratemax.description"/>
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'hypervisor'" name="diskiopsreadrate" ref="diskiopsreadrate">
+      <template #label>
+        <tooltip-label :title="$t('label.diskiopsreadrate')" :tooltip="apiParams.iopsreadrate.description"/>
+      </template>
+      <a-input
+        v-model:value="form.diskiopsreadrate"
+        :placeholder="apiParams.iopsreadrate.description"/>
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'hypervisor'" name="diskiopswriterate" ref="diskiopswriterate">
+      <template #label>
+        <tooltip-label :title="$t('label.diskiopswriterate')" :tooltip="apiParams.iopswriterate.description"/>
+      </template>
+      <a-input
+        v-model:value="form.diskiopswriterate"
+        :placeholder="apiParams.iopswriterate.description"/>
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'storage'" name="iscustomizeddiskiops" ref="iscustomizeddiskiops">
+      <template #label>
+        <tooltip-label :title="$t('label.iscustomizeddiskiops')" :tooltip="apiParams.customizediops.description"/>
+      </template>
+      <a-switch v-model:checked="form.iscustomizeddiskiops" />
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'storage' && !form.iscustomizeddiskiops" name="diskiopsmin" ref="diskiopsmin">
+      <template #label>
+        <tooltip-label :title="$t('label.diskiopsmin')" :tooltip="apiParams.miniops.description"/>
+      </template>
+      <a-input
+        v-model:value="form.diskiopsmin"
+        :placeholder="apiParams.miniops.description"/>
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'storage' && !form.iscustomizeddiskiops" name="diskiopsmax" ref="diskiopsmax">
+      <template #label>
+        <tooltip-label :title="$t('label.diskiopsmax')" :tooltip="apiParams.maxiops.description"/>
+      </template>
+      <a-input
+        v-model:value="form.diskiopsmax"
+        :placeholder="apiParams.maxiops.description"/>
+    </a-form-item>
+    <a-form-item v-if="form.qostype === 'storage'" name="hypervisorsnapshotreserve" ref="hypervisorsnapshotreserve">
+      <template #label>
+        <tooltip-label :title="$t('label.hypervisorsnapshotreserve')" :tooltip="apiParams.hypervisorsnapshotreserve.description"/>
+      </template>
+      <a-input
+        v-model:value="form.hypervisorsnapshotreserve"
+        :placeholder="apiParams.hypervisorsnapshotreserve.description"/>
+    </a-form-item>
+    <a-form-item name="writecachetype" ref="writecachetype">
+      <template #label>
+        <tooltip-label :title="$t('label.writecachetype')" :tooltip="apiParams.cachemode.description"/>
+      </template>
+      <a-radio-group
+        v-model:value="form.writecachetype"
+        buttonStyle="solid"
+        @change="selected => { handleWriteCacheTypeChange(selected.target.value) }">
+        <a-radio-button value="none">
+          {{ $t('label.nodiskcache') }}
+        </a-radio-button>
+        <a-radio-button value="writeback">
+          {{ $t('label.writeback') }}
+        </a-radio-button>
+        <a-radio-button value="writethrough">
+          {{ $t('label.writethrough') }}
+        </a-radio-button>
+        <a-radio-button value="hypervisor_default">
+          {{ $t('label.hypervisor.default') }}
+        </a-radio-button>
+      </a-radio-group>
+    </a-form-item>
+    <a-form-item v-if="isAdmin() || isDomainAdminAllowedToInformTags" name="tags" ref="tags">
+      <template #label>
+        <tooltip-label :title="$t('label.storagetags')" :tooltip="apiParams.tags.description"/>
+      </template>
+      <a-select
+        :getPopupContainer="(trigger) => trigger.parentNode"
+        mode="tags"
+        v-model:value="form.tags"
+        showSearch
+        optionFilterProp="value"
+        :filterOption="(input, option) => {
+          return option.value.toLowerCase().indexOf(input.toLowerCase()) >= 0
+        }"
+        :loading="storageTagLoading"
+        :placeholder="apiParams.tags.description"
+        v-if="isAdmin() || isDomainAdminAllowedToInformTags">
+        <a-select-option v-for="(opt) in storageTags" :key="opt">
+          {{ opt }}
+        </a-select-option>
+      </a-select>
+    </a-form-item>
+    <a-form-item :label="$t('label.ispublic')" v-show="isAdmin()" name="ispublic" ref="ispublic">
+      <a-switch v-model:checked="form.ispublic" @change="val => { isPublic = val }" />
+    </a-form-item>
+    <a-form-item v-if="!isPublic" name="domainid" ref="domainid">
+      <template #label>
+        <tooltip-label :title="$t('label.domainid')" :tooltip="apiParams.domainid.description"/>
+      </template>
+      <a-select
+        mode="multiple"
+        :getPopupContainer="(trigger) => trigger.parentNode"
+        v-model:value="form.domainid"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => {
+          return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+        }"
+        :loading="domainLoading"
+        :placeholder="apiParams.domainid.description">
+        <a-select-option v-for="(opt, optIndex) in domains" :key="optIndex" :label="opt.path || opt.name || opt.description">
+          <span>
+            <resource-icon v-if="opt && opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
+            <block-outlined v-else style="margin-right: 5px" />
+            {{ opt.path || opt.name || opt.description }}
+          </span>
+        </a-select-option>
+      </a-select>
+    </a-form-item>
+    <a-form-item name="zoneid" ref="zoneid">
+      <template #label>
+        <tooltip-label :title="$t('label.zoneid')" :tooltip="apiParams.zoneid.description"/>
+      </template>
+      <a-select
+        id="zone-selection"
+        mode="multiple"
+        :getPopupContainer="(trigger) => trigger.parentNode"
+        v-model:value="form.zoneid"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => {
+          return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+        }"
+        @select="val => fetchvSphereStoragePolicies(val)"
+        :loading="zoneLoading"
+        :placeholder="apiParams.zoneid.description">
+        <a-select-option v-for="(opt, optIndex) in zones" :key="optIndex" :label="opt.name || opt.description">
+          <span>
+            <resource-icon v-if="opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
+            <global-outlined v-else style="margin-right: 5px"/>
+            {{ opt.name || opt.description }}
+          </span>
+        </a-select-option>
+      </a-select>
+    </a-form-item>
+    <a-form-item v-if="'listVsphereStoragePolicies' in $store.getters.apis && storagePolicies !== null" name="storagepolicy" ref="storagepolicy">
+      <template #label>
+        <tooltip-label :title="$t('label.vmware.storage.policy')" :tooltip="apiParams.storagepolicy.description"/>
+      </template>
+      <a-select
+        :getPopupContainer="(trigger) => trigger.parentNode"
+        v-model:value="form.storagepolicy"
+        :placeholder="apiParams.storagepolicy.description"
+        showSearch
+        optionFilterProp="label"
+        :filterOption="(input, option) => {
+          return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+        }">
+        <a-select-option v-for="policy in storagePolicies" :key="policy.id" :label="policy.name || policy.id || ''">
+          {{ policy.name || policy.id }}
+        </a-select-option>
+      </a-select>
+    </a-form-item>
+    <slot name="form-actions"></slot>
+  </a-form>
+</template>
+
+<script>
+import { reactive, toRaw } from 'vue'
+import { getAPI } from '@/api'
+import { isAdmin } from '@/role'
+import { mixinForm } from '@/utils/mixin'
+import ResourceIcon from '@/components/view/ResourceIcon'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
+import store from '@/store'
+import { BlockOutlined, GlobalOutlined } from '@ant-design/icons-vue'
+
+export default {
+  name: 'DiskOfferingForm',
+  mixins: [mixinForm],
+  components: {
+    ResourceIcon,
+    TooltipLabel,
+    BlockOutlined,
+    GlobalOutlined
+  },
+  props: {
+    initialValues: {
+      type: Object,
+      default: () => ({})
+    },
+    apiParams: {
+      type: Object,
+      default: () => ({})
+    },
+    isAdmin: {
+      type: Function,
+      default: () => false
+    }
+  },
+  data () {
+    return {
+      internalFormRef: null,
+      form: reactive(Object.assign({
+        storagetype: 'shared',
+        provisioningtype: 'thin',
+        customdisksize: true,
+        writecachetype: 'none',
+        qostype: '',
+        ispublic: true,
+        disksizestrictness: false,
+        encryptdisk: false
+      }, this.initialValues || {})),
+      rules: reactive({}),
+      storageTags: [],
+      storagePolicies: null,
+      storageTagLoading: false,
+      isPublic: true,
+      domains: [],
+      domainLoading: false,
+      zones: [],
+      zoneLoading: false,
+      disksizestrictness: false,
+      encryptdisk: false,
+      isDomainAdminAllowedToInformTags: false
+    }
+  },
+  created () {
+    this.zones = [{ id: null, name: this.$t('label.all.zone') }]
+    this.initForm()
+    this.fetchData()
+    this.isPublic = isAdmin()
+    this.form.ispublic = this.isPublic
+  },
+  methods: {
+    initForm () {
+      this.formRef = this.$refs.internalFormRef
+      this.rules = reactive({
+        name: [{ required: true, message: this.$t('message.error.required.input') }],
+        disksize: [
+          { required: true, message: this.$t('message.error.required.input') },
+          { type: 'number', validator: this.validateNumber }
+        ],
+        diskbytesreadrate: [{ type: 'number', validator: this.validateNumber }],
+        diskbytesreadratemax: [{ type: 'number', validator: this.validateNumber }],
+        diskbyteswriterate: [{ type: 'number', validator: this.validateNumber }],
+        diskbyteswriteratemax: [{ type: 'number', validator: this.validateNumber }],
+        diskiopsreadrate: [{ type: 'number', validator: this.validateNumber }],
+        diskiopswriterate: [{ type: 'number', validator: this.validateNumber }],
+        diskiopsmin: [{ type: 'number', validator: this.validateNumber }],
+        diskiopsmax: [{ type: 'number', validator: this.validateNumber }],
+        hypervisorsnapshotreserve: [{ type: 'number', validator: this.validateNumber }],
+        domainid: [{ type: 'array', required: true, message: this.$t('message.error.select') }],
+        zoneid: [{
+          type: 'array',
+          validator: async (rule, value) => {
+            if (value && value.length > 1 && value.indexOf(0) !== -1) {
+              return Promise.reject(this.$t('message.error.zone.combined'))
+            }
+            return Promise.resolve()
+          }
+        }]
+      })
+    },
+    fetchData () {
+      this.fetchDomainData()
+      this.fetchZoneData()
+      if (isAdmin()) {
+        this.fetchStorageTagData()
+      }
+      if (this.isDomainAdmin()) {
+        this.checkIfDomainAdminIsAllowedToInformTag()
+        if (this.isDomainAdminAllowedToInformTags) {
+          this.fetchStorageTagData()
+        }
+      }
+    },
+    handleWriteCacheTypeChange (val) {
+      this.form.writecachetype = val
+    },
+    isDomainAdmin () {
+      return ['DomainAdmin'].includes(this.$store.getters.userInfo.roletype)
+    },
+    checkIfDomainAdminIsAllowedToInformTag () {
+      const params = { id: store.getters.userInfo.accountid }
+      getAPI('isAccountAllowedToCreateOfferingsWithTags', params).then(json => {
+        this.isDomainAdminAllowedToInformTags = json.isaccountallowedtocreateofferingswithtagsresponse.isallowed.isallowed
+      })
+    },
+    fetchDomainData () {
+      const params = {}
+      params.listAll = true
+      params.showicon = true
+      params.details = 'min'
+      this.domainLoading = true
+      getAPI('listDomains', params).then(json => {
+        const listDomains = json.listdomainsresponse.domain
+        this.domains = this.domains.concat(listDomains)
+      }).finally(() => {
+        this.domainLoading = false
+      })
+    },
+    fetchZoneData () {
+      const params = {}
+      params.showicon = true
+      this.zoneLoading = true
+      getAPI('listZones', params).then(json => {
+        const listZones = json.listzonesresponse.zone
+        if (listZones) {
+          this.zones = this.zones.concat(listZones)
+        }
+      }).finally(() => {
+        this.zoneLoading = false
+      })
+    },
+    fetchStorageTagData () {
+      const params = {}
+      this.storageTagLoading = true
+      getAPI('listStorageTags', params).then(json => {
+        const tags = json.liststoragetagsresponse.storagetag || []
+        for (const tag of tags) {
+          if (!this.storageTags.includes(tag.name)) {
+            this.storageTags.push(tag.name)
+          }
+        }
+      }).finally(() => {
+        this.storageTagLoading = false
+      })
+    },
+    fetchvSphereStoragePolicies (zoneIndex) {
+      if (zoneIndex === 0 || this.form.zoneid.length > 1) {
+        this.storagePolicies = null
+        return
+      }
+      const zoneid = this.zones[zoneIndex].id
+      if ('importVsphereStoragePolicies' in this.$store.getters.apis) {
+        this.storagePolicies = []
+        getAPI('listVsphereStoragePolicies', {
+          zoneid: zoneid
+        }).then(response => {
+          this.storagePolicies = response.listvspherestoragepoliciesresponse.StoragePolicy || []
+        })
+      }
+    },
+    validate () {
+      return this.$refs.internalFormRef.validate().then(() => {
+        const formRaw = toRaw(this.form)
+        const values = this.handleRemoveFields(formRaw)
+        return values
+      })
+    },
+    onInternalSubmit () {
+      this.$emit('submit')
+    },
+    async validateNumber (rule, value) {
+      if (value && (isNaN(value) || value <= 0)) {
+        return Promise.reject(this.$t('message.error.number'))
+      }
+      return Promise.resolve()
+    }
+  }
+}
+</script>
diff --git a/ui/src/composables/useServiceCapabilityParams.js b/ui/src/composables/useServiceCapabilityParams.js
new file mode 100644
index 00000000000..734f30ec3f4
--- /dev/null
+++ b/ui/src/composables/useServiceCapabilityParams.js
@@ -0,0 +1,153 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+export function buildServiceCapabilityParams (params, values, selectedServiceProviderMap, registeredServicePackages) {
+  const supportedServices = Object.keys(selectedServiceProviderMap)
+  params.supportedservices = supportedServices.join(',')
+  for (const k in supportedServices) {
+    params[`serviceProviderList[${k}].service`] = supportedServices[k]
+    params[`serviceProviderList[${k}].provider`] = selectedServiceProviderMap[supportedServices[k]]
+  }
+  let serviceCapabilityIndex = 0
+  if (supportedServices.includes('Connectivity')) {
+    if (values.supportsstrechedl2subnet === true) {
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].service`] = 'Connectivity'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilitytype`] = 'RegionLevelVpc'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilityvalue`] = true
+      serviceCapabilityIndex++
+    }
+    if (values.supportspublicaccess === true) {
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].service`] = 'Connectivity'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilitytype`] = 'DistributedRouter'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilityvalue`] = true
+      serviceCapabilityIndex++
+    }
+    delete params.supportsstrechedl2subnet
+    delete params.supportspublicaccess
+  }
+  // SourceNat capabilities
+  if (supportedServices.includes('SourceNat')) {
+    if (values.redundantroutercapability === true) {
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].service`] = 'SourceNat'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilitytype`] = 'RedundantRouter'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilityvalue`] = true
+      serviceCapabilityIndex++
+    }
+    params[`servicecapabilitylist[${serviceCapabilityIndex}].service`] = 'SourceNat'
+    params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilitytype`] = 'SupportedSourceNatTypes'
+    params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilityvalue`] = values.sourcenattype
+    serviceCapabilityIndex++
+    delete params.redundantroutercapability
+    delete params.sourcenattype
+  } else if (values.redundantroutercapability === true) {
+    params[`serviceCapabilityList[${serviceCapabilityIndex}].service`] = 'Gateway'
+    params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilitytype`] = 'RedundantRouter'
+    params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilityvalue`] = true
+    serviceCapabilityIndex++
+  }
+  // StaticNat capabilities
+  if (supportedServices.includes('SourceNat')) {
+    if (values.elasticip === true) {
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].service`] = 'StaticNat'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilitytype`] = 'ElasticIp'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilityvalue`] = true
+      serviceCapabilityIndex++
+    }
+    if (values.elasticip === true || values.associatepublicip === true) {
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].service`] = 'StaticNat'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilitytype`] = 'associatePublicIP'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilityvalue`] = values.associatepublicip
+      serviceCapabilityIndex++
+    }
+    delete params.elasticip
+    delete params.associatepublicip
+  }
+  // Lb capabilities
+  if (supportedServices.includes('Lb')) {
+    if ('vmautoscalingcapability' in values) {
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].service`] = 'lb'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilitytype`] = 'VmAutoScaling'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilityvalue`] = values.vmautoscalingcapability
+      serviceCapabilityIndex++
+    }
+    if (values.elasticlb === true) {
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].service`] = 'lb'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilitytype`] = 'ElasticLb'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilityvalue`] = true
+      serviceCapabilityIndex++
+    }
+    if (values.inlinemode === true && ((selectedServiceProviderMap.Lb === 'F5BigIp') || (selectedServiceProviderMap.Lb === 'Netscaler'))) {
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].service`] = 'lb'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilitytype`] = 'InlineMode'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilityvalue`] = values.inlinemode
+      serviceCapabilityIndex++
+    }
+    params[`servicecapabilitylist[${serviceCapabilityIndex}].service`] = 'lb'
+    params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilitytype`] = 'SupportedLbIsolation'
+    params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilityvalue`] = values.isolation || 'dedicated'
+    serviceCapabilityIndex++
+    if (selectedServiceProviderMap.Lb === 'InternalLbVm') {
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].service`] = 'lb'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilitytype`] = 'lbSchemes'
+      params[`servicecapabilitylist[${serviceCapabilityIndex}].capabilityvalue`] = 'internal'
+      serviceCapabilityIndex++
+    }
+    if ('netscalerservicepackages' in values &&
+      registeredServicePackages.length > values.netscalerservicepackages &&
+      'netscalerservicepackagesdescription' in values) {
+      params['details[0].servicepackageuuid'] = registeredServicePackages[values.netscalerservicepackages].id
+      params['details[1].servicepackagedescription'] = values.netscalerservicepackagesdescription
+    }
+  }
+}
+
+/**
+ * Build the VPC service capability params for Add/Clone VPC Offering forms.
+ * Handles: RegionLevelVpc, DistributedRouter, RedundantRouter (SourceNat/Gateway)
+ */
+export function buildVpcServiceCapabilityParams (params, values, selectedServiceProviderMap, isVpcVirtualRouterForAtLeastOneService) {
+  const supportedServices = Object.keys(selectedServiceProviderMap)
+  let serviceCapabilityIndex = 0
+  if (supportedServices.includes('Connectivity')) {
+    if (values.regionlevelvpc === true) {
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].service`] = 'Connectivity'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilitytype`] = 'RegionLevelVpc'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilityvalue`] = true
+      serviceCapabilityIndex++
+    }
+    if (values.distributedrouter === true) {
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].service`] = 'Connectivity'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilitytype`] = 'DistributedRouter'
+      params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilityvalue`] = true
+      serviceCapabilityIndex++
+    }
+  }
+  if (supportedServices.includes('SourceNat') && values.redundantrouter === true) {
+    params[`serviceCapabilityList[${serviceCapabilityIndex}].service`] = 'SourceNat'
+    params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilitytype`] = 'RedundantRouter'
+    params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilityvalue`] = true
+    serviceCapabilityIndex++
+  } else if (values.redundantrouter === true) {
+    params[`serviceCapabilityList[${serviceCapabilityIndex}].service`] = 'Gateway'
+    params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilitytype`] = 'RedundantRouter'
+    params[`serviceCapabilityList[${serviceCapabilityIndex}].capabilityvalue`] = true
+    serviceCapabilityIndex++
+  }
+  if (values.serviceofferingid && isVpcVirtualRouterForAtLeastOneService) {
+    params.serviceofferingid = values.serviceofferingid
+  }
+}
diff --git a/ui/src/config/section/compute.js b/ui/src/config/section/compute.js
index 32e888bb53d..dd17116df02 100644
--- a/ui/src/config/section/compute.js
+++ b/ui/src/config/section/compute.js
@@ -331,7 +331,7 @@ export default {
           docHelp: 'adminguide/virtual_machines.html#change-affinity-group-for-an-existing-vm',
           dataView: true,
           args: ['affinitygroupids'],
-          show: (record) => { return record.hypervisor !== 'External' && ['Stopped'].includes(record.state) && record.vmtype !== 'sharedfsvm' },
+          show: (record) => { return record.hypervisor !== 'External' && ['Stopped'].includes(record.state) && record.vmtype !== 'sharedfsvm' && record.vmtype !== 'cksnode' },
           component: shallowRef(defineAsyncComponent(() => import('@/views/compute/ChangeAffinity'))),
           popup: true
         },
@@ -576,7 +576,7 @@ export default {
         const filters = ['cloud.managed', 'external.managed']
         return filters
       },
-      details: ['name', 'description', 'zonename', 'kubernetesversionname', 'autoscalingenabled', 'csienabled', 'minsize', 'maxsize', 'size', 'controlnodes', 'etcdnodes', 'cpunumber', 'memory', 'keypair', 'cniconfigname', 'associatednetworkname', 'account', 'domain', 'zonename', 'clustertype', 'created'],
+      details: ['name', 'description', 'zonename', 'kubernetesversionname', 'autoscalingenabled', 'csienabled', 'minsize', 'maxsize', 'size', 'controlnodes', 'controlaffinitygroupnames', 'etcdnodes', 'etcdaffinitygroupnames', 'workeraffinitygroupnames', 'cpunumber', 'memory', 'keypair', 'cniconfigname', 'associatednetworkname', 'account', 'domain', 'zonename', 'clustertype', 'created'],
       tabs: [
         {
           name: 'k8s',
@@ -797,7 +797,7 @@ export default {
         },
         {
           api: 'scaleKubernetesCluster',
-          icon: 'swap-outlined',
+          icon: 'arrows-alt-outlined',
           label: 'label.kubernetes.cluster.scale',
           message: 'message.kubernetes.cluster.scale',
           docHelp: 'plugins/cloudstack-kubernetes-service.html#scaling-kubernetes-cluster',
@@ -806,6 +806,15 @@ export default {
           popup: true,
           component: shallowRef(defineAsyncComponent(() => import('@/views/compute/ScaleKubernetesCluster.vue')))
         },
+        {
+          api: 'updateKubernetesClusterAffinityGroups',
+          icon: 'swap-outlined',
+          label: 'label.change.affinity',
+          dataView: true,
+          show: (record) => { return ['Stopped'].includes(record.state) && record.clustertype === 'CloudManaged' },
+          popup: true,
+          component: shallowRef(defineAsyncComponent(() => import('@/views/compute/ChangeKubernetesClusterAffinity.vue')))
+        },
         {
           api: 'upgradeKubernetesCluster',
           icon: 'plus-circle-outlined',
@@ -1325,12 +1334,8 @@ export default {
           label: 'label.add.affinity.group',
           docHelp: 'adminguide/virtual_machines.html#creating-a-new-affinity-group',
           listView: true,
-          args: ['name', 'description', 'type'],
-          mapping: {
-            type: {
-              options: ['host anti-affinity (Strict)', 'host affinity (Strict)', 'host anti-affinity (Non-Strict)', 'host affinity (Non-Strict)']
-            }
-          }
+          popup: true,
+          component: shallowRef(defineAsyncComponent(() => import('@/views/compute/CreateAffinityGroup.vue')))
         },
         {
           api: 'deleteAffinityGroup',
diff --git a/ui/src/config/section/network.js b/ui/src/config/section/network.js
index 33b39d27172..37cdd0c8b98 100644
--- a/ui/src/config/section/network.js
+++ b/ui/src/config/section/network.js
@@ -20,6 +20,7 @@ import store from '@/store'
 import tungsten from '@/assets/icons/tungsten.svg?inline'
 import { isAdmin } from '@/role'
 import { isZoneCreated } from '@/utils/zone'
+import { vueProps } from '@/vue-app'
 
 export default {
   name: 'network',
@@ -171,13 +172,16 @@ export default {
             if (isGroupAction || record.vpcid == null) {
               fields.push('cleanup')
             }
+            if (!record.redundantrouter && vueProps.$config.allowMakingRouterRedundant) {
+              fields.push('makeredundant')
+            }
             fields.push('livepatch')
             return fields
           },
           show: (record) => record.type !== 'L2',
           groupAction: true,
           popup: true,
-          groupMap: (selection, values) => { return selection.map(x => { return { id: x, cleanup: values.cleanup } }) }
+          groupMap: (selection, values) => { return selection.map(x => { return { id: x, cleanup: values.cleanup, makeredundant: values.makeredundant } }) }
         },
         {
           api: 'replaceNetworkACLList',
diff --git a/ui/src/config/section/offering.js b/ui/src/config/section/offering.js
index bc95772d6f7..9d7b743a70a 100644
--- a/ui/src/config/section/offering.js
+++ b/ui/src/config/section/offering.js
@@ -143,6 +143,14 @@ export default {
         },
         show: (record) => { return record.state === 'Active' },
         groupMap: (selection) => { return selection.map(x => { return { id: x, state: 'Inactive' } }) }
+      }, {
+        api: 'cloneServiceOffering',
+        icon: 'copy-outlined',
+        label: 'label.clone.compute.offering',
+        docHelp: 'adminguide/service_offerings.html#creating-a-new-compute-offering',
+        dataView: true,
+        popup: true,
+        component: shallowRef(defineAsyncComponent(() => import('@/views/offering/CloneComputeOffering.vue')))
       }]
     },
     {
@@ -225,6 +233,15 @@ export default {
         },
         show: (record) => { return record.state === 'Active' },
         groupMap: (selection) => { return selection.map(x => { return { id: x, state: 'Inactive' } }) }
+      }, {
+        api: 'cloneServiceOffering',
+        icon: 'copy-outlined',
+        label: 'label.clone.system.service.offering',
+        docHelp: 'adminguide/service_offerings.html#creating-a-new-system-service-offering',
+        dataView: true,
+        params: { issystem: 'true' },
+        popup: true,
+        component: shallowRef(defineAsyncComponent(() => import('@/views/offering/CloneComputeOffering.vue')))
       }]
     },
     {
@@ -332,6 +349,14 @@ export default {
         },
         show: (record) => { return record.state === 'Active' },
         groupMap: (selection) => { return selection.map(x => { return { id: x, state: 'Inactive' } }) }
+      }, {
+        api: 'cloneDiskOffering',
+        icon: 'copy-outlined',
+        label: 'label.clone.disk.offering',
+        docHelp: 'adminguide/service_offerings.html#creating-a-new-disk-offering',
+        dataView: true,
+        popup: true,
+        component: shallowRef(defineAsyncComponent(() => import('@/views/offering/CloneDiskOffering.vue')))
       }]
     },
     {
@@ -376,6 +401,14 @@ export default {
         popup: true,
         groupMap: (selection) => { return selection.map(x => { return { id: x } }) },
         args: ['name', 'description', 'allowuserdrivenbackups']
+      }, {
+        api: 'cloneBackupOffering',
+        icon: 'copy-outlined',
+        label: 'label.clone.backup.offering',
+        docHelp: 'adminguide/virtual_machines.html#importing-backup-offerings',
+        dataView: true,
+        popup: true,
+        component: shallowRef(defineAsyncComponent(() => import('@/views/offering/CloneBackupOffering.vue')))
       }, {
         api: 'deleteBackupOffering',
         icon: 'delete-outlined',
@@ -487,6 +520,14 @@ export default {
         dataView: true,
         popup: true,
         component: shallowRef(defineAsyncComponent(() => import('@/views/offering/UpdateOfferingAccess.vue')))
+      }, {
+        api: 'cloneNetworkOffering',
+        icon: 'copy-outlined',
+        label: 'label.clone.network.offering',
+        docHelp: 'adminguide/networking.html#creating-a-new-network-offering',
+        dataView: true,
+        popup: true,
+        component: shallowRef(defineAsyncComponent(() => import('@/views/offering/CloneNetworkOffering.vue')))
       }, {
         api: 'deleteNetworkOffering',
         icon: 'delete-outlined',
@@ -508,7 +549,7 @@ export default {
       searchFilters: ['name', 'zoneid', 'domainid'],
       resourceType: 'VpcOffering',
       columns: ['name', 'state', 'displaytext', 'domain', 'zone', 'order'],
-      details: ['name', 'id', 'displaytext', 'internetprotocol', 'distributedvpcrouter', 'tags', 'routingmode', 'specifyasnumber', 'service', 'fornsx', 'networkmode', 'domain', 'zone', 'created'],
+      details: ['name', 'id', 'displaytext', 'internetprotocol', 'distributedvpcrouter', 'tags', 'routingmode', 'specifyasnumber', 'service', 'fornsx', 'networkmode', 'conservemode', 'domain', 'zone', 'created'],
       related: [{
         name: 'vpc',
         title: 'label.vpc',
@@ -579,6 +620,14 @@ export default {
         dataView: true,
         popup: true,
         component: shallowRef(defineAsyncComponent(() => import('@/views/offering/UpdateOfferingAccess.vue')))
+      }, {
+        api: 'cloneVPCOffering',
+        icon: 'copy-outlined',
+        docHelp: 'plugins/nuage-plugin.html?#optional-create-and-enable-vpc-offering',
+        label: 'label.clone.vpc.offering',
+        dataView: true,
+        popup: true,
+        component: shallowRef(defineAsyncComponent(() => import('@/views/offering/CloneVpcOffering.vue')))
       }, {
         api: 'deleteVPCOffering',
         icon: 'delete-outlined',
diff --git a/ui/src/views/compute/ChangeKubernetesClusterAffinity.vue b/ui/src/views/compute/ChangeKubernetesClusterAffinity.vue
new file mode 100644
index 00000000000..f06fa65d170
--- /dev/null
+++ b/ui/src/views/compute/ChangeKubernetesClusterAffinity.vue
@@ -0,0 +1,200 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <div class="form-layout" v-ctrl-enter="handleSubmit">
+    <a-spin :spinning="loading">
+      <a-form
+        :ref="formRef"
+        :model="form"
+        :rules="rules"
+        @finish="handleSubmit"
+        layout="vertical">
+        <a-form-item name="controlaffinitygroupids" ref="controlaffinitygroupids">
+          <template #label>
+            <tooltip-label :title="$t('label.cks.cluster.control.nodes.affinitygroupid')" :tooltip="$t('label.cks.cluster.control.nodes.affinitygroupid')"/>
+          </template>
+          <a-select
+            v-model:value="controlAffinityGroups"
+            mode="multiple"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0"
+            :loading="affinityGroupLoading"
+            :placeholder="$t('label.cks.cluster.control.nodes.affinitygroupid')">
+            <a-select-option v-for="opt in affinityGroups" :key="opt.id" :label="opt.name">
+              {{ opt.name }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="workeraffinitygroupids" ref="workeraffinitygroupids">
+          <template #label>
+            <tooltip-label :title="$t('label.cks.cluster.worker.nodes.affinitygroupid')" :tooltip="$t('label.cks.cluster.worker.nodes.affinitygroupid')"/>
+          </template>
+          <a-select
+            v-model:value="workerAffinityGroups"
+            mode="multiple"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0"
+            :loading="affinityGroupLoading"
+            :placeholder="$t('label.cks.cluster.worker.nodes.affinitygroupid')">
+            <a-select-option v-for="opt in affinityGroups" :key="opt.id" :label="opt.name">
+              {{ opt.name }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item v-if="resource.etcdnodes && resource.etcdnodes > 0" name="etcdaffinitygroupids" ref="etcdaffinitygroupids">
+          <template #label>
+            <tooltip-label :title="$t('label.cks.cluster.etcd.nodes.affinitygroupid')" :tooltip="$t('label.cks.cluster.etcd.nodes.affinitygroupid')"/>
+          </template>
+          <a-select
+            v-model:value="etcdAffinityGroups"
+            mode="multiple"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0"
+            :loading="affinityGroupLoading"
+            :placeholder="$t('label.cks.cluster.etcd.nodes.affinitygroupid')">
+            <a-select-option v-for="opt in affinityGroups" :key="opt.id" :label="opt.name">
+              {{ opt.name }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <div :span="24" class="action-button">
+          <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
+          <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+        </div>
+      </a-form>
+    </a-spin>
+  </div>
+</template>
+
+<script>
+import { ref, reactive } from 'vue'
+import { getAPI, postAPI } from '@/api'
+import { mixinForm } from '@/utils/mixin'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
+
+export default {
+  name: 'ChangeKubernetesClusterAffinity',
+  mixins: [mixinForm],
+  props: {
+    resource: {
+      type: Object,
+      required: true
+    }
+  },
+  components: {
+    TooltipLabel
+  },
+  inject: ['parentFetchData'],
+  data () {
+    return {
+      loading: false,
+      affinityGroups: [],
+      affinityGroupLoading: false,
+      controlAffinityGroups: [],
+      workerAffinityGroups: [],
+      etcdAffinityGroups: []
+    }
+  },
+  created () {
+    this.initForm()
+    this.fetchAffinityGroups()
+  },
+  methods: {
+    initForm () {
+      this.formRef = ref()
+      this.form = reactive({})
+      this.rules = reactive({})
+    },
+    fetchAffinityGroups () {
+      this.affinityGroupLoading = true
+      const params = {
+        domainid: this.resource.domainid,
+        account: this.resource.account
+      }
+      getAPI('listAffinityGroups', params).then(json => {
+        const groups = json.listaffinitygroupsresponse.affinitygroup
+        if (groups && groups.length > 0) {
+          this.affinityGroups = groups.filter(group => group.type !== 'ExplicitDedication')
+        }
+        this.prePopulateSelections()
+      }).finally(() => {
+        this.affinityGroupLoading = false
+      })
+    },
+    prePopulateSelections () {
+      this.controlAffinityGroups = this.parseAffinityGroupIds(this.resource.controlaffinitygroupids)
+      this.workerAffinityGroups = this.parseAffinityGroupIds(this.resource.workeraffinitygroupids)
+      this.etcdAffinityGroups = this.parseAffinityGroupIds(this.resource.etcdaffinitygroupids)
+    },
+    parseAffinityGroupIds (idsCsv) {
+      if (!idsCsv) {
+        return []
+      }
+      return idsCsv.split(',').filter(id => id.trim() !== '')
+    },
+    handleSubmit (e) {
+      if (e) e.preventDefault()
+      if (this.loading) return
+      this.loading = true
+      const params = {
+        id: this.resource.id
+      }
+      let affinityIndex = 0
+      const addAffinityGroups = (nodeType, groups) => {
+        if (groups && groups.length > 0) {
+          params[`nodeaffinitygroups[${affinityIndex}].node`] = nodeType
+          params[`nodeaffinitygroups[${affinityIndex}].affinitygroup`] = groups.join(',')
+          affinityIndex++
+        }
+      }
+      addAffinityGroups('control', this.controlAffinityGroups)
+      addAffinityGroups('worker', this.workerAffinityGroups)
+      if (this.resource.etcdnodes && this.resource.etcdnodes > 0) {
+        addAffinityGroups('etcd', this.etcdAffinityGroups)
+      }
+      postAPI('updateKubernetesClusterAffinityGroups', params).then(json => {
+        this.$notification.success({
+          message: this.$t('message.success.change.affinity.group')
+        })
+        this.$emit('close-action')
+        this.parentFetchData()
+      }).catch(error => {
+        this.$notifyError(error)
+      }).finally(() => {
+        this.loading = false
+      })
+    },
+    closeAction () {
+      this.$emit('close-action')
+    }
+  }
+}
+</script>
+
+<style scoped lang="less">
+  .form-layout {
+    width: 80vw;
+
+    @media (min-width: 600px) {
+      width: 450px;
+    }
+  }
+</style>
diff --git a/ui/src/views/compute/CreateAffinityGroup.vue b/ui/src/views/compute/CreateAffinityGroup.vue
new file mode 100644
index 00000000000..27d9828138d
--- /dev/null
+++ b/ui/src/views/compute/CreateAffinityGroup.vue
@@ -0,0 +1,173 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <div class="form-layout" v-ctrl-enter="handleSubmit">
+    <a-spin :spinning="loading">
+      <a-form
+        :ref="formRef"
+        :model="form"
+        :rules="rules"
+        @finish="handleSubmit"
+        layout="vertical">
+        <a-form-item name="name" ref="name">
+          <template #label>
+            <tooltip-label :title="$t('label.name')" :tooltip="apiParams.name.description"/>
+          </template>
+          <a-input
+            v-model:value="form.name"
+            :placeholder="apiParams.name.description"
+            v-focus="true" />
+        </a-form-item>
+        <a-form-item name="description" ref="description">
+          <template #label>
+            <tooltip-label :title="$t('label.description')" :tooltip="apiParams.description.description"/>
+          </template>
+          <a-input
+            v-model:value="form.description"
+            :placeholder="apiParams.description.description"/>
+        </a-form-item>
+        <a-form-item name="type" ref="type">
+          <template #label>
+            <tooltip-label :title="$t('label.type')" :tooltip="apiParams.type.description"/>
+          </template>
+          <a-select
+            v-model:value="form.type"
+            showSearch
+            optionFilterProp="label"
+            :placeholder="apiParams.type.description">
+            <a-select-option v-for="opt in affinityGroupTypes" :key="opt" :label="opt">
+              {{ opt }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <ownership-selection v-if="isAdminOrDomainAdmin()" @fetch-owner="fetchOwnerOptions"/>
+        <div :span="24" class="action-button">
+          <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
+          <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+        </div>
+      </a-form>
+    </a-spin>
+  </div>
+</template>
+
+<script>
+import { ref, reactive, toRaw } from 'vue'
+import { postAPI } from '@/api'
+import { mixinForm } from '@/utils/mixin'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
+import OwnershipSelection from '@/views/compute/wizard/OwnershipSelection'
+
+export default {
+  name: 'CreateAffinityGroup',
+  mixins: [mixinForm],
+  components: {
+    TooltipLabel,
+    OwnershipSelection
+  },
+  data () {
+    return {
+      loading: false,
+      owner: {},
+      affinityGroupTypes: [
+        'host affinity',
+        'host anti-affinity',
+        'non-strict host affinity',
+        'non-strict host anti-affinity'
+      ]
+    }
+  },
+  beforeCreate () {
+    this.apiParams = this.$getApiParams('createAffinityGroup')
+  },
+  created () {
+    this.initForm()
+  },
+  methods: {
+    initForm () {
+      this.formRef = ref()
+      this.form = reactive({})
+      this.rules = reactive({
+        name: [{ required: true, message: this.$t('message.error.name') }],
+        type: [{ required: true, message: this.$t('label.required') }]
+      })
+    },
+    isAdminOrDomainAdmin () {
+      return ['Admin', 'DomainAdmin'].includes(this.$store.getters.userInfo.roletype)
+    },
+    fetchOwnerOptions (ownerOptions) {
+      this.owner = {}
+      if (ownerOptions.selectedAccountType === 'Account') {
+        if (!ownerOptions.selectedAccount) {
+          return
+        }
+        this.owner.account = ownerOptions.selectedAccount
+        this.owner.domainid = ownerOptions.selectedDomain
+      } else if (ownerOptions.selectedAccountType === 'Project') {
+        if (!ownerOptions.selectedProject) {
+          return
+        }
+        this.owner.projectid = ownerOptions.selectedProject
+      }
+    },
+    handleSubmit (e) {
+      e.preventDefault()
+      if (this.loading) return
+      this.formRef.value.validate().then(() => {
+        const formRaw = toRaw(this.form)
+        const values = this.handleRemoveFields(formRaw)
+        this.loading = true
+        const params = {
+          name: values.name,
+          description: values.description,
+          type: values.type
+        }
+        if (this.owner.account) {
+          params.account = this.owner.account
+          params.domainid = this.owner.domainid
+        } else if (this.owner.projectid) {
+          params.projectid = this.owner.projectid
+        }
+        postAPI('createAffinityGroup', params).then(json => {
+          this.$message.success(this.$t('label.add.affinity.group') + ' - ' + values.name)
+        }).catch(error => {
+          this.$notifyError(error)
+        }).finally(() => {
+          this.$emit('refresh-data')
+          this.loading = false
+          this.closeAction()
+        })
+      }).catch(error => {
+        this.formRef.value.scrollToField(error.errorFields[0].name)
+      })
+    },
+    closeAction () {
+      this.$emit('close-action')
+    }
+  }
+}
+</script>
+
+<style scoped lang="less">
+  .form-layout {
+    width: 80vw;
+
+    @media (min-width: 600px) {
+      width: 450px;
+    }
+  }
+</style>
diff --git a/ui/src/views/compute/CreateKubernetesCluster.vue b/ui/src/views/compute/CreateKubernetesCluster.vue
index 1799933bf2e..618e46cb72d 100644
--- a/ui/src/views/compute/CreateKubernetesCluster.vue
+++ b/ui/src/views/compute/CreateKubernetesCluster.vue
@@ -65,6 +65,7 @@
             </a-select-option>
           </a-select>
         </a-form-item>
+        <ownership-selection v-if="isAdmin()" @fetch-owner="fetchOwnerOptions"/>
         <a-form-item ref="hypervisor" name="hypervisor">
           <template #label>
             <tooltip-label :title="$t('label.hypervisor')" :tooltip="apiParams.hypervisor.description"/>
@@ -316,7 +317,7 @@
             </a-select-option>
           </a-select>
         </a-form-item>
-        <a-form-item v-if="form.advancedmode && form?.etcdnodes > 0" name="etcdtemplateid" ref="etcdtemplateid">
+        <a-form-item v-if="form.advancedmode && form.etcdnodes && form.etcdnodes > 0" name="etcdtemplateid" ref="etcdtemplateid">
           <template #label>
             <tooltip-label :title="$t('label.cks.cluster.etcd.nodes.templateid')" :tooltip="$t('label.cks.cluster.etcd.nodes.templateid')"/>
           </template>
@@ -335,6 +336,57 @@
             </a-select-option>
           </a-select>
         </a-form-item>
+        <a-form-item v-if="form.advancedmode" name="controlaffinitygroupids" ref="controlaffinitygroupids">
+          <template #label>
+            <tooltip-label :title="$t('label.cks.cluster.control.nodes.affinitygroupid')" :tooltip="$t('label.cks.cluster.control.nodes.affinitygroupid')"/>
+          </template>
+          <a-select
+            v-model:value="controlAffinityGroups"
+            mode="multiple"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0"
+            :loading="affinityGroupLoading"
+            :placeholder="$t('label.cks.cluster.control.nodes.affinitygroupid')">
+            <a-select-option v-for="opt in affinityGroups" :key="opt.id" :label="opt.name">
+              {{ opt.name }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item v-if="form.advancedmode" name="workeraffinitygroupids" ref="workeraffinitygroupids">
+          <template #label>
+            <tooltip-label :title="$t('label.cks.cluster.worker.nodes.affinitygroupid')" :tooltip="$t('label.cks.cluster.worker.nodes.affinitygroupid')"/>
+          </template>
+          <a-select
+            v-model:value="workerAffinityGroups"
+            mode="multiple"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0"
+            :loading="affinityGroupLoading"
+            :placeholder="$t('label.cks.cluster.worker.nodes.affinitygroupid')">
+            <a-select-option v-for="opt in affinityGroups" :key="opt.id" :label="opt.name">
+              {{ opt.name }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item v-if="form.advancedmode && form.etcdnodes && form.etcdnodes > 0" name="etcdaffinitygroupids" ref="etcdaffinitygroupids">
+          <template #label>
+            <tooltip-label :title="$t('label.cks.cluster.etcd.nodes.affinitygroupid')" :tooltip="$t('label.cks.cluster.etcd.nodes.affinitygroupid')"/>
+          </template>
+          <a-select
+            v-model:value="etcdAffinityGroups"
+            mode="multiple"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0"
+            :loading="affinityGroupLoading"
+            :placeholder="$t('label.cks.cluster.etcd.nodes.affinitygroupid')">
+            <a-select-option v-for="opt in affinityGroups" :key="opt.id" :label="opt.name">
+              {{ opt.name }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
         <a-form-item v-if="form.advancedmode && isASNumberRequired() && !form.networkid" name="asnumber" ref="asnumber">
           <template #label>
               <tooltip-label :title="$t('label.asnumber')" :tooltip="apiParams.asnumber.description"/>
@@ -441,6 +493,7 @@ import { mixinForm } from '@/utils/mixin'
 import ResourceIcon from '@/components/view/ResourceIcon'
 import TooltipLabel from '@/components/widgets/TooltipLabel'
 import UserDataSelection from '@views/compute/wizard/UserDataSelection'
+import OwnershipSelection from '@/views/compute/wizard/OwnershipSelection'
 
 export default {
   name: 'CreateKubernetesCluster',
@@ -448,7 +501,8 @@ export default {
   components: {
     TooltipLabel,
     ResourceIcon,
-    UserDataSelection
+    UserDataSelection,
+    OwnershipSelection
   },
   props: {},
   data () {
@@ -490,7 +544,13 @@ export default {
       cksNetworkOffering: null,
       asNumbersZone: [],
       asNumberLoading: false,
-      selectedAsNumber: 0
+      selectedAsNumber: 0,
+      affinityGroups: [],
+      affinityGroupLoading: false,
+      controlAffinityGroups: [],
+      workerAffinityGroups: [],
+      etcdAffinityGroups: [],
+      owner: {}
     }
   },
   beforeCreate () {
@@ -555,11 +615,38 @@ export default {
     },
     fetchData () {
       this.fetchZoneData()
-      this.fetchKeyPairData()
+      if (!this.isAdmin()) {
+        this.fetchKeyPairData()
+      }
       this.fetchCksTemplates()
       this.fetchCKSNetworkOfferingName()
       this.fetchCniConfigurations()
     },
+    fetchAffinityGroups () {
+      this.affinityGroups = []
+      this.controlAffinityGroups = []
+      this.workerAffinityGroups = []
+      this.etcdAffinityGroups = []
+      const params = {}
+      if (!this.isObjectEmpty(this.selectedZone)) {
+        params.zoneid = this.selectedZone.id
+      }
+      if (this.owner.account) {
+        params.account = this.owner.account
+        params.domainid = this.owner.domainid
+      } else if (this.owner.projectid) {
+        params.projectid = this.owner.projectid
+      }
+      this.affinityGroupLoading = true
+      getAPI('listAffinityGroups', params).then(json => {
+        const groups = json.listaffinitygroupsresponse.affinitygroup
+        if (this.arrayHasItems(groups)) {
+          this.affinityGroups = groups.filter(group => group.type !== 'ExplicitDedication')
+        }
+      }).finally(() => {
+        this.affinityGroupLoading = false
+      })
+    },
     isValidValueForKey (obj, key) {
       return key in obj && obj[key] != null
     },
@@ -597,9 +684,12 @@ export default {
     handleZoneChange (zone) {
       this.selectedZone = zone
       this.fetchKubernetesVersionData()
-      this.fetchNetworkData()
       this.fetchZoneHypervisors()
       this.fetchZoneASNumbers()
+      if (!this.isAdmin()) {
+        this.fetchNetworkData()
+        this.fetchAffinityGroups()
+      }
     },
     handleASNumberChange (selectedIndex) {
       this.selectedAsNumber = this.asNumbersZone[selectedIndex].asnumber
@@ -663,9 +753,30 @@ export default {
         }
       })
     },
+    isAdmin () {
+      return this.$store.getters.userInfo.roletype === 'Admin'
+    },
     isAdminOrDomainAdmin () {
       return ['Admin', 'DomainAdmin'].includes(this.$store.getters.userInfo.roletype)
     },
+    fetchOwnerOptions (ownerOptions) {
+      this.owner = {}
+      if (ownerOptions.selectedAccountType === 'Account') {
+        if (!ownerOptions.selectedAccount) {
+          return
+        }
+        this.owner.account = ownerOptions.selectedAccount
+        this.owner.domainid = ownerOptions.selectedDomain
+      } else if (ownerOptions.selectedAccountType === 'Project') {
+        if (!ownerOptions.selectedProject) {
+          return
+        }
+        this.owner.projectid = ownerOptions.selectedProject
+      }
+      this.fetchNetworkData()
+      this.fetchKeyPairData()
+      this.fetchAffinityGroups()
+    },
     fetchCksTemplates () {
       var filters = []
       if (this.isAdminOrDomainAdmin()) {
@@ -695,6 +806,12 @@ export default {
       if (!this.isObjectEmpty(this.selectedZone)) {
         params.zoneid = this.selectedZone.id
       }
+      if (this.owner.account) {
+        params.account = this.owner.account
+        params.domainid = this.owner.domainid
+      } else if (this.owner.projectid) {
+        params.projectid = this.owner.projectid
+      }
       this.networkLoading = true
       this.networks = []
       getAPI('listNetworks', params).then(json => {
@@ -713,7 +830,14 @@ export default {
     },
     fetchKeyPairData () {
       const params = {}
+      if (this.owner.account) {
+        params.account = this.owner.account
+        params.domainid = this.owner.domainid
+      } else if (this.owner.projectid) {
+        params.projectid = this.owner.projectid
+      }
       this.keyPairLoading = true
+      this.keyPairs = [this.emptyEntry]
       getAPI('listSSHKeyPairs', params).then(json => {
         const listKeyPairs = json.listsshkeypairsresponse.sshkeypair
         if (this.arrayHasItems(listKeyPairs)) {
@@ -840,6 +964,12 @@ export default {
           size: values.size,
           clustertype: 'CloudManaged'
         }
+        if (this.owner.account) {
+          params.account = this.owner.account
+          params.domainid = this.owner.domainid
+        } else if (this.owner.projectid) {
+          params.projectid = this.owner.projectid
+        }
         if (values.hypervisor !== null) {
           params.hypervisor = this.selectedZoneHypervisors[values.hypervisor].name.toLowerCase()
         }
@@ -881,6 +1011,21 @@ export default {
             advancedTemplates++
           }
         }
+        if (values.advancedmode) {
+          let affinityIndex = 0
+          const addAffinityGroups = (nodeType, groups) => {
+            if (groups && groups.length > 0) {
+              params[`nodeaffinitygroups[${affinityIndex}].node`] = nodeType
+              params[`nodeaffinitygroups[${affinityIndex}].affinitygroup`] = groups.join(',')
+              affinityIndex++
+            }
+          }
+          addAffinityGroups('control', this.controlAffinityGroups)
+          addAffinityGroups('worker', this.workerAffinityGroups)
+          if (values.etcdnodes > 0) {
+            addAffinityGroups('etcd', this.etcdAffinityGroups)
+          }
+        }
         if (this.isValidValueForKey(values, 'noderootdisksize') && values.noderootdisksize > 0) {
           params.noderootdisksize = values.noderootdisksize
         }
diff --git a/ui/src/views/network/LoadBalancing.vue b/ui/src/views/network/LoadBalancing.vue
index ad091b218a8..0b9ed7684a8 100644
--- a/ui/src/views/network/LoadBalancing.vue
+++ b/ui/src/views/network/LoadBalancing.vue
@@ -204,6 +204,11 @@
                   {{ instance.loadbalancerruleinstance.displayname }}
                 </router-link>
               </div>
+              <div v-if="this.vpcConserveMode">
+                <router-link :to="{ path: '/guestnetwork/' + instance.loadbalancerruleinstance.nic[0].networkid }">
+                  {{ instance.loadbalancerruleinstance.nic[0].networkname }}
+                </router-link>
+              </div>
               <div>{{ ip }}</div>
               <tooltip-button
                 :disabled='record.autoscalevmgroup'
@@ -487,10 +492,10 @@
     >
       <div @keyup.ctrl.enter="handleAddNewRule">
         <span
-          v-if="'vpcid' in resource && !('associatednetworkid' in resource)">
+          v-if="'vpcid' in resource && (!('associatednetworkid' in resource) || vpcConserveMode)">
           <strong>{{ $t('label.select.tier') }} </strong>
           <a-select
-            v-focus="'vpcid' in resource && !('associatednetworkid' in resource)"
+            v-focus="'vpcid' in resource && (!('associatednetworkid' in resource) || vpcConserveMode)"
             v-model:value="selectedTier"
             @change="fetchVirtualMachines()"
             :placeholder="$t('label.select.tier')"
@@ -1022,7 +1027,8 @@ export default {
         urlpath: '/'
       },
       healthMonitorLoading: false,
-      isNetrisZone: false
+      isNetrisZone: false,
+      vpcConserveMode: false
     }
   },
   computed: {
@@ -1079,10 +1085,24 @@ export default {
       })
     },
     fetchData () {
+      this.fetchVpc()
       this.fetchListTiers()
       this.fetchLBRules()
       this.fetchZone()
     },
+    fetchVpc () {
+      if (!this.resource.vpcid) {
+        return
+      }
+      this.vpcConserveMode = false
+      getAPI('listVPCs', {
+        id: this.resource.vpcid
+      }).then(json => {
+        this.vpcConserveMode = json.listvpcsresponse?.vpc?.[0].vpcofferingconservemode || false
+      }).catch(error => {
+        this.$notifyError(error)
+      })
+    },
     fetchListTiers () {
       this.tiers.loading = true
 
@@ -1830,7 +1850,7 @@ export default {
 
       getAPI('listNics', {
         virtualmachineid: e.target.value,
-        networkid: ('vpcid' in this.resource && !('associatednetworkid' in this.resource)) ? this.selectedTier : this.resource.associatednetworkid
+        networkid: ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) || this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid
       }).then(response => {
         if (!response || !response.listnicsresponse || !response.listnicsresponse.nic[0]) return
         const newItem = []
@@ -1850,7 +1870,7 @@ export default {
       this.vmCount = 0
       this.vms = []
       this.addVmModalLoading = true
-      const networkId = ('vpcid' in this.resource && !('associatednetworkid' in this.resource)) ? this.selectedTier : this.resource.associatednetworkid
+      const networkId = ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) || this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid
       if (!networkId) {
         this.addVmModalLoading = false
         return
@@ -1935,11 +1955,17 @@ export default {
           ip.forEach(i => {
             vmIDIpMap[`vmidipmap[${innerCount}].vmid`] = this.newRule.virtualmachineid[count]
             vmIDIpMap[`vmidipmap[${innerCount}].vmip`] = i
+            if (this.vpcConserveMode) {
+              vmIDIpMap[`vmidipmap[${innerCount}].vmnetworkid`] = this.selectedTier
+            }
             innerCount++
           })
         } else {
           vmIDIpMap[`vmidipmap[${innerCount}].vmid`] = this.newRule.virtualmachineid[count]
           vmIDIpMap[`vmidipmap[${innerCount}].vmip`] = ip
+          if (this.vpcConserveMode && ip != null) {
+            vmIDIpMap[`vmidipmap[${innerCount}].vmnetworkid`] = this.selectedTier
+          }
           innerCount++
         }
         if (this.newRule.virtualmachineid[count]) {
diff --git a/ui/src/views/network/PortForwarding.vue b/ui/src/views/network/PortForwarding.vue
index 8ab6559b12c..ffa89e5b581 100644
--- a/ui/src/views/network/PortForwarding.vue
+++ b/ui/src/views/network/PortForwarding.vue
@@ -117,6 +117,12 @@
         <template v-if="column.key === 'cidrlist'">
           <span style="white-space: pre-line"> {{ record.cidrlist?.replaceAll(",", "\n") }}</span>
         </template>
+        <template v-if="vpcConserveMode && column.key === 'networkid'">
+          <router-link
+            :to="{ path: '/guestnetwork/' + record.networkid }">
+            {{ record.networkname }}
+          </router-link>
+        </template>
         <template v-if="column.key === 'vm'">
           <div><desktop-outlined/>
             <router-link
@@ -216,10 +222,10 @@
       @cancel="closeModal">
       <div v-ctrl-enter="addRule">
         <span
-          v-if="'vpcid' in resource && !('associatednetworkid' in resource)">
+          v-if="'vpcid' in resource && (!('associatednetworkid' in resource) || vpcConserveMode)">
           <strong>{{ $t('label.select.tier') }} </strong>
           <a-select
-            :v-focus="'vpcid' in resource && !('associatednetworkid' in resource)"
+            v-focus="'vpcid' in resource && (!('associatednetworkid' in resource) || vpcConserveMode)"
             v-model:value="selectedTier"
             @change="fetchVirtualMachines()"
             :placeholder="$t('label.select.tier')"
@@ -467,7 +473,8 @@ export default {
       vmPageSize: 10,
       vmCount: 0,
       searchQuery: null,
-      cidrlist: ''
+      cidrlist: '',
+      vpcConserveMode: false
     }
   },
   computed: {
@@ -479,7 +486,6 @@ export default {
     this.apiParams = this.$getApiParams('createPortForwardingRule')
   },
   created () {
-    console.log(this.resource)
     this.initForm()
     this.fetchData()
   },
@@ -504,13 +510,30 @@ export default {
       })
     },
     fetchData () {
+      this.fetchVpc()
       this.fetchListTiers()
       this.fetchPFRules()
     },
-    fetchListTiers () {
-      if ('vpcid' in this.resource && 'associatednetworkid' in this.resource) {
+    fetchVpc () {
+      if (!this.resource.vpcid) {
         return
       }
+      this.vpcConserveMode = false
+      getAPI('listVPCs', {
+        id: this.resource.vpcid
+      }).then(json => {
+        this.vpcConserveMode = json.listvpcsresponse?.vpc?.[0].vpcofferingconservemode || false
+        if (this.vpcConserveMode) {
+          this.columns.splice(this.columns.length - 1, 0, {
+            key: 'networkid',
+            title: this.$t('label.network')
+          })
+        }
+      }).catch(error => {
+        this.$notifyError(error)
+      })
+    },
+    fetchListTiers () {
       this.selectedTier = null
       this.tiers.loading = true
       getAPI('listNetworks', {
@@ -630,7 +653,7 @@ export default {
       if (this.loading) return
       this.loading = true
       this.addVmModalVisible = false
-      const networkId = ('vpcid' in this.resource && !('associatednetworkid' in this.resource)) ? this.selectedTier : this.resource.associatednetworkid
+      const networkId = ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) || this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid
       postAPI('createPortForwardingRule', {
         ...this.newRule,
         ipaddressid: this.resource.id,
@@ -788,7 +811,7 @@ export default {
       this.newRule.virtualmachineid = e.target.value
       getAPI('listNics', {
         virtualmachineid: e.target.value,
-        networkId: ('vpcid' in this.resource && !('associatednetworkid' in this.resource)) ? this.selectedTier : this.resource.associatednetworkid
+        networkid: ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) || this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid
       }).then(response => {
         if (!response.listnicsresponse.nic || response.listnicsresponse.nic.length < 1) return
         const nic = response.listnicsresponse.nic[0]
@@ -799,7 +822,6 @@ export default {
         this.newRule.vmguestip = this.nics[0]
         this.addVmModalNicLoading = false
       }).catch(error => {
-        console.log(error)
         this.$notifyError(error)
         this.closeModal()
       })
@@ -808,7 +830,7 @@ export default {
       this.vmCount = 0
       this.vms = []
       this.addVmModalLoading = true
-      const networkId = ('vpcid' in this.resource && !('associatednetworkid' in this.resource)) ? this.selectedTier : this.resource.associatednetworkid
+      const networkId = ('vpcid' in this.resource && (!('associatednetworkid' in this.resource) || this.vpcConserveMode)) ? this.selectedTier : this.resource.associatednetworkid
       if (!networkId) {
         this.addVmModalLoading = false
         return
diff --git a/ui/src/views/network/PublicIpResource.vue b/ui/src/views/network/PublicIpResource.vue
index 7c25e1c32ba..0540e7f292a 100644
--- a/ui/src/views/network/PublicIpResource.vue
+++ b/ui/src/views/network/PublicIpResource.vue
@@ -135,8 +135,10 @@ export default {
         return
       }
       if (this.resource && this.resource.vpcid) {
-        // VPC IPs with source nat have only VPN
-        if (this.resource.issourcenat) {
+        const vpc = await this.fetchVpc()
+
+        // VPC IPs with source nat have only VPN when VPC offering conserve mode = false
+        if (this.resource.issourcenat && vpc?.vpcofferingconservemode === false) {
           this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn'))
           return
         }
@@ -154,7 +156,12 @@ export default {
 
         const network = await this.fetchNetwork()
         if (network && network.networkofferingconservemode) {
-          this.tabs = tabs
+          // VPC IPs with source nat have only VPN when VPC offering conserve mode = false
+          if (this.resource.issourcenat && vpc?.vpcofferingconservemode === false) {
+            this.tabs = this.defaultTabs.concat(this.$route.meta.tabs.filter(tab => tab.name === 'vpn'))
+          } else {
+            this.tabs = tabs
+          }
           return
         }
 
@@ -193,6 +200,21 @@ export default {
     fetchAction () {
       this.actions = this.$route.meta.actions || []
     },
+    fetchVpc () {
+      if (!this.resource.vpcid) {
+        return null
+      }
+      return new Promise((resolve, reject) => {
+        getAPI('listVPCs', {
+          id: this.resource.vpcid
+        }).then(json => {
+          const vpc = json.listvpcsresponse?.vpc?.[0] || null
+          resolve(vpc)
+        }).catch(e => {
+          reject(e)
+        })
+      })
+    },
     fetchNetwork () {
       if (!this.resource.associatednetworkid) {
         return null
diff --git a/ui/src/views/offering/AddComputeOffering.vue b/ui/src/views/offering/AddComputeOffering.vue
index 465d07b8e57..72a63ef43f9 100644
--- a/ui/src/views/offering/AddComputeOffering.vue
+++ b/ui/src/views/offering/AddComputeOffering.vue
@@ -18,658 +18,29 @@
 <template>
   <div class="form-layout" v-ctrl-enter="handleSubmit">
     <a-spin :spinning="loading">
-      <a-form
-        :ref="formRef"
-        :model="form"
+      <ComputeOfferingForm
+        :initialValues="form"
         :rules="rules"
-        @finish="handleSubmit"
-        layout="vertical"
-       >
-        <a-form-item name="name" ref="name">
-          <template #label>
-            <tooltip-label :title="$t('label.name')" :tooltip="apiParams.name.description"/>
-          </template>
-          <a-input
-            v-focus="true"
-            v-model:value="form.name"
-            :placeholder="$t('label.name')"/>
-        </a-form-item>
-        <a-form-item name="displaytext" ref="displaytext">
-          <template #label>
-            <tooltip-label :title="$t('label.displaytext')" :tooltip="apiParams.displaytext.description"/>
-          </template>
-          <a-input
-            v-model:value="form.displaytext"
-            :placeholder="$t('label.displaytext')"/>
-        </a-form-item>
-        <a-form-item name="systemvmtype" ref="systemvmtype" v-if="isSystem">
-          <template #label>
-            <tooltip-label :title="$t('label.systemvmtype')" :tooltip="apiParams.systemvmtype.description"/>
-          </template>
-          <a-select
-            :getPopupContainer="(trigger) => trigger.parentNode"
-            v-model:value="form.systemvmtype"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }"
-            :placeholder="apiParams.systemvmtype.description">
-            <a-select-option key="domainrouter" :label="$t('label.domain.router')">{{ $t('label.domain.router') }}</a-select-option>
-            <a-select-option key="consoleproxy" :label="$t('label.console.proxy')">{{ $t('label.console.proxy') }}</a-select-option>
-            <a-select-option key="secondarystoragevm" :label="$t('label.secondary.storage.vm')">{{ $t('label.secondary.storage.vm') }}</a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-form-item name="offeringtype" ref="offeringtype" :label="$t('label.offeringtype')" v-show="!isSystem">
-          <a-radio-group
-            v-model:value="form.offeringtype"
-            @change="selected => { handleComputeOfferingTypeChange(selected.target.value) }"
-            buttonStyle="solid">
-            <a-radio-button value="fixed">
-              {{ $t('label.fixed') }}
-            </a-radio-button>
-            <a-radio-button value="customconstrained">
-              {{ $t('label.customconstrained') }}
-            </a-radio-button>
-            <a-radio-button value="customunconstrained">
-              {{ $t('label.customunconstrained') }}
-            </a-radio-button>
-          </a-radio-group>
-        </a-form-item>
-        <a-row :gutter="12">
-          <a-col :md="8" :lg="8" v-if="offeringType === 'fixed'">
-            <a-form-item name="cpunumber" ref="cpunumber">
-              <template #label>
-                <tooltip-label :title="$t('label.cpunumber')" :tooltip="apiParams.cpunumber.description"/>
-              </template>
-              <a-input
-                v-model:value="form.cpunumber"
-                :placeholder="apiParams.cpunumber.description"/>
-            </a-form-item>
-          </a-col>
-          <a-col :md="8" :lg="8" v-if="offeringType !== 'customunconstrained'">
-            <a-form-item name="cpuspeed" ref="cpuspeed">
-              <template #label>
-                <tooltip-label :title="$t('label.cpuspeed')" :tooltip="apiParams.cpuspeed.description"/>
-              </template>
-              <a-input
-                v-model:value="form.cpuspeed"
-                :placeholder="apiParams.cpuspeed.description"/>
-            </a-form-item>
-          </a-col>
-          <a-col :md="8" :lg="8" v-if="offeringType === 'fixed'">
-            <a-form-item name="memory" ref="memory">
-              <template #label>
-                <tooltip-label :title="$t('label.memory.mb')" :tooltip="apiParams.memory.description"/>
-              </template>
-              <a-input
-                v-model:value="form.memory"
-                :placeholder="apiParams.memory.description"/>
-            </a-form-item>
-          </a-col>
-        </a-row>
-        <a-row :gutter="12" v-if="offeringType === 'customconstrained'">
-          <a-col :md="12" :lg="12">
-            <a-form-item name="mincpunumber" ref="mincpunumber">
-              <template #label>
-                <tooltip-label :title="$t('label.mincpunumber')" :tooltip="apiParams.mincpunumber.description"/>
-              </template>
-              <a-input
-                v-model:value="form.mincpunumber"
-                :placeholder="apiParams.mincpunumber.description"/>
-            </a-form-item>
-          </a-col>
-          <a-col :md="12" :lg="12">
-            <a-form-item name="maxcpunumber" ref="maxcpunumber">
-              <template #label>
-                <tooltip-label :title="$t('label.maxcpunumber')" :tooltip="apiParams.maxcpunumber.description"/>
-              </template>
-              <a-input
-                v-model:value="form.maxcpunumber"
-                :placeholder="apiParams.maxcpunumber.description"/>
-            </a-form-item>
-          </a-col>
-        </a-row>
-        <a-row :gutter="12" v-if="offeringType === 'customconstrained'">
-          <a-col :md="12" :lg="12">
-            <a-form-item name="minmemory" ref="minmemory">
-              <template #label>
-                <tooltip-label :title="$t('label.minmemory')" :tooltip="apiParams.minmemory.description"/>
-              </template>
-              <a-input
-                v-model:value="form.minmemory"
-                :placeholder="apiParams.minmemory.description"/>
-            </a-form-item>
-          </a-col>
-          <a-col :md="12" :lg="12">
-            <a-form-item name="maxmemory" ref="maxmemory">
-              <template #label>
-                <tooltip-label :title="$t('label.maxmemory')" :tooltip="apiParams.maxmemory.description"/>
-              </template>
-              <a-input
-                v-model:value="form.maxmemory"
-                :placeholder="apiParams.maxmemory.description"/>
-            </a-form-item>
-          </a-col>
-        </a-row>
-        <a-row :gutter="12">
-          <a-col :md="12" :lg="12">
-            <a-form-item v-if="isAdmin() || isDomainAdminAllowedToInformTags" name="hosttags" ref="hosttags">
-              <template #label>
-                <tooltip-label :title="$t('label.hosttags')" :tooltip="apiParams.hosttags.description"/>
-              </template>
-              <a-input
-                v-model:value="form.hosttags"
-                :placeholder="apiParams.hosttags.description"/>
-            </a-form-item>
-          </a-col>
-          <a-col :md="12" :lg="12">
-            <a-form-item name="networkrate" ref="networkrate">
-              <template #label>
-                <tooltip-label :title="$t('label.networkrate')" :tooltip="apiParams.networkrate.description"/>
-              </template>
-              <a-input
-                v-model:value="form.networkrate"
-                :placeholder="apiParams.networkrate.description"/>
-            </a-form-item>
-          </a-col>
-        </a-row>
-        <a-row :gutter="12">
-          <a-col :md="12" :lg="12">
-            <a-form-item name="offerha" ref="offerha">
-              <template #label>
-                <tooltip-label :title="$t('label.offerha')" :tooltip="apiParams.offerha.description"/>
-              </template>
-              <a-switch v-model:checked="form.offerha" />
-            </a-form-item>
-          </a-col>
-          <a-col :md="12" :lg="12">
-            <a-form-item name="dynamicscalingenabled" ref="dynamicscalingenabled">
-              <template #label>
-                <tooltip-label :title="$t('label.dynamicscalingenabled')" :tooltip="apiParams.dynamicscalingenabled.description"/>
-              </template>
-              <a-switch v-model:checked="form.dynamicscalingenabled" @change="val => { dynamicscalingenabled = val }"/>
-            </a-form-item>
-          </a-col>
-        </a-row>
-        <a-row :gutter="12">
-          <a-col :md="12" :lg="12">
-            <a-form-item name="limitcpuuse" ref="limitcpuuse">
-              <template #label>
-                <tooltip-label :title="$t('label.limitcpuuse')" :tooltip="apiParams.limitcpuuse.description"/>
-              </template>
-              <a-switch v-model:checked="form.limitcpuuse" />
-            </a-form-item>
-          </a-col>
-          <a-col :md="12" :lg="12">
-            <a-form-item v-if="!isSystem" name="isvolatile" ref="isvolatile">
-              <template #label>
-                <tooltip-label :title="$t('label.isvolatile')" :tooltip="apiParams.isvolatile.description"/>
-              </template>
-              <a-switch v-model:checked="form.isvolatile" />
-            </a-form-item>
-          </a-col>
-        </a-row>
-        <a-form-item name="deploymentplanner" ref="deploymentplanner" v-if="!isSystem && isAdmin()">
-          <template #label>
-            <tooltip-label :title="$t('label.deploymentplanner')" :tooltip="apiParams.deploymentplanner.description"/>
-          </template>
-          <a-select
-            :getPopupContainer="(trigger) => trigger.parentNode"
-            v-model:value="form.deploymentplanner"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }"
-            :loading="deploymentPlannerLoading"
-            :placeholder="apiParams.deploymentplanner.description"
-            @change="val => { handleDeploymentPlannerChange(val) }">
-            <a-select-option v-for="(opt) in deploymentPlanners" :key="opt.name" :label="opt.name || opt.description || ''">
-              {{ opt.name || opt.description }}
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-form-item name="plannermode" ref="plannermode" :label="$t('label.plannermode')" v-if="plannerModeVisible">
-          <a-radio-group
-            v-model:value="form.plannermode"
-            buttonStyle="solid">
-            <a-radio-button value="">
-              {{ $t('label.none') }}
-            </a-radio-button>
-            <a-radio-button value="strict">
-              {{ $t('label.strict') }}
-            </a-radio-button>
-            <a-radio-button value="Preferred">
-              {{ $t('label.preferred') }}
-            </a-radio-button>
-          </a-radio-group>
-        </a-form-item>
-        <a-form-item name="gpucardid" ref="gpucardid" :label="$t('label.gpu.card')" v-if="!isSystem">
-          <a-select
-            v-model:value="form.gpucardid"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }"
-            :loading="gpuCardLoading"
-            :placeholder="$t('label.gpu.card')"
-            @change="handleGpuCardChange">
-            <a-select-option v-for="(opt, optIndex) in gpuCards" :key="optIndex" :value="opt.id" :label="opt.name || opt.description || ''">
-              {{ opt.description || opt.name || '' }}
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-form-item name="vgpuprofile" ref="vgpuprofile" :label="$t('label.vgpu.profile')" v-if="!isSystem && form.gpucardid && vgpuProfiles.length > 0">
-          <a-select
-            v-model:value="form.vgpuprofile"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }"
-            :loading="vgpuProfileLoading"
-            :placeholder="$t('label.vgpu.profile')">
-            <a-select-option v-for="(vgpu, vgpuIndex) in vgpuProfiles" :key="vgpuIndex" :value="vgpu.id" :label="vgpu.vgpuprofile || ''">
-              {{ vgpu.name }} {{ getVgpuProfileDetails(vgpu) }}
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-row :gutter="12" v-if="!isSystem && form.gpucardid">
-          <a-col :md="12" :lg="12">
-            <a-form-item name="gpucount" ref="gpucount">
-              <template #label>
-                <tooltip-label :title="$t('label.gpu.count')" :tooltip="apiParams.gpucount.description"/>
-              </template>
-              <a-input
-                v-model:value="form.gpucount"
-                type="number"
-                min="1"
-                max="16"
-                :placeholder="$t('label.gpu.count')"/>
-            </a-form-item>
-          </a-col>
-          <a-col :md="12" :lg="12">
-            <a-form-item name="gpudisplay" ref="gpudisplay">
-              <template #label>
-                <tooltip-label :title="$t('label.gpu.display')" :tooltip="apiParams.gpudisplay.description"/>
-              </template>
-              <a-switch v-model:checked="form.gpudisplay" />
-            </a-form-item>
-          </a-col>
-        </a-row>
-        <a-form-item name="ispublic" ref="ispublic" :label="$t('label.ispublic')" v-show="isAdmin()">
-          <a-switch v-model:checked="form.ispublic" />
-        </a-form-item>
-        <a-form-item name="domainid" ref="domainid" v-if="!form.ispublic">
-          <template #label>
-            <tooltip-label :title="$t('label.domainid')" :tooltip="apiParams.domainid.description"/>
-          </template>
-          <a-select
-            mode="multiple"
-            :getPopupContainer="(trigger) => trigger.parentNode"
-            v-model:value="form.domainid"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }"
-            :loading="domainLoading"
-            :placeholder="apiParams.domainid.description">
-            <a-select-option v-for="(opt, optIndex) in domains" :key="optIndex" :label="opt.path || opt.name || opt.description">
-              <span>
-                <resource-icon v-if="opt && opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
-                <block-outlined v-else style="margin-right: 5px" />
-                {{ opt.path || opt.name || opt.description }}
-              </span>
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-form-item name="zoneid" ref="zoneid" v-if="!isSystem">
-          <template #label>
-            <tooltip-label :title="$t('label.zoneid')" :tooltip="apiParams.zoneid.description"/>
-          </template>
-          <a-select
-            id="zone-selection"
-            mode="multiple"
-            :getPopupContainer="(trigger) => trigger.parentNode"
-            v-model:value="form.zoneid"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }"
-            @select="val => fetchvSphereStoragePolicies(val)"
-            :loading="zoneLoading"
-            :placeholder="apiParams.zoneid.description">
-            <a-select-option v-for="(opt, optIndex) in zones" :key="optIndex" :label="opt.name || opt.description">
-              <span>
-                <resource-icon v-if="opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
-                <global-outlined v-else style="margin-right: 5px"/>
-                {{ opt.name || opt.description }}
-              </span>
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-form-item
-          name="storagepolicy"
-          ref="storagepolicy"
-          v-if="'listVsphereStoragePolicies' in $store.getters.apis && storagePolicies !== null">
-          <template #label>
-            <tooltip-label :title="$t('label.vmware.storage.policy')" :tooltip="apiParams.storagepolicy.description"/>
-          </template>
-          <a-select
-            :getPopupContainer="(trigger) => trigger.parentNode"
-            v-model:value="form.storagepolicy"
-            :placeholder="apiParams.storagepolicy.description"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }" >
-            <a-select-option v-for="policy in storagePolicies" :key="policy.id" :label="policy.name || policy.id || ''">
-              {{ policy.name || policy.id }}
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-form-item name="purgeresources" ref="purgeresources">
-          <template #label>
-            <tooltip-label :title="$t('label.purgeresources')" :tooltip="apiParams.purgeresources.description"/>
-          </template>
-          <a-switch v-model:checked="form.purgeresources"/>
-        </a-form-item>
-        <a-form-item name="showLeaseOptions" ref="showLeaseOptions" v-if="isLeaseFeatureEnabled">
-          <template #label>
-            <tooltip-label :title="$t('label.lease.enable')" :tooltip="$t('label.lease.enable.tooltip')" />
-          </template>
-          <a-switch v-model:checked="showLeaseOptions" @change="onToggleLeaseData"/>
-        </a-form-item>
-        <a-row :gutter="12" v-if="isLeaseFeatureEnabled && showLeaseOptions">
-          <a-col :md="12" :lg="12">
-            <a-form-item name="leaseduration" ref="leaseduration">
-              <template #label>
-                <tooltip-label :title="$t('label.leaseduration')"/>
-              </template>
-              <a-input
-                v-model:value="form.leaseduration"
-                :placeholder="$t('label.instance.lease.placeholder')"/>
-            </a-form-item>
-          </a-col>
-          <a-col :md="12" :lg="12">
-            <a-form-item name="leaseexpiryaction" ref="leaseexpiryaction"  v-if="form.leaseduration > 0">
-              <template #label>
-                <tooltip-label :title="$t('label.leaseexpiryaction')" />
-              </template>
-              <a-select v-model:value="form.leaseexpiryaction" :defaultValue="expiryActions">
-                <a-select-option v-for="action in expiryActions" :key="action" :label="action"/>
-              </a-select>
-            </a-form-item>
-          </a-col>
-        </a-row>
-        <a-form-item name="computeonly" ref="computeonly">
-          <template #label>
-            <tooltip-label :title="$t('label.computeonly.offering')" :tooltip="$t('label.computeonly.offering.tooltip')"/>
-          </template>
-          <a-switch v-model:checked="form.computeonly" :checked="computeonly" @change="val => { computeonly = val }"/>
-        </a-form-item>
-        <a-card style="margin-bottom: 10px;">
-          <span v-if="computeonly">
-            <a-form-item name="storagetype" ref="storagetype">
-              <template #label>
-                <tooltip-label :title="$t('label.storagetype')" :tooltip="apiParams.storagetype.description"/>
-              </template>
-              <a-radio-group
-                v-model:value="form.storagetype"
-                buttonStyle="solid"
-                @change="selected => { handleStorageTypeChange(selected.target.value) }">
-                <a-radio-button value="shared">
-                  {{ $t('label.shared') }}
-                </a-radio-button>
-                <a-radio-button value="local">
-                  {{ $t('label.local') }}
-                </a-radio-button>
-              </a-radio-group>
-            </a-form-item>
-            <a-form-item name="provisioningtype" ref="provisioningtype">
-              <template #label>
-                <tooltip-label :title="$t('label.provisioningtype')" :tooltip="apiParams.provisioningtype.description"/>
-              </template>
-              <a-radio-group
-                v-model:value="form.provisioningtype"
-                buttonStyle="solid"
-                @change="selected => { handleProvisioningTypeChange(selected.target.value) }">
-                <a-radio-button value="thin">
-                  {{ $t('label.provisioningtype.thin') }}
-                </a-radio-button>
-                <a-radio-button value="sparse">
-                  {{ $t('label.provisioningtype.sparse') }}
-                </a-radio-button>
-                <a-radio-button value="fat">
-                  {{ $t('label.provisioningtype.fat') }}
-                </a-radio-button>
-              </a-radio-group>
-            </a-form-item>
-            <a-form-item name="cachemode" ref="cachemode">
-              <template #label>
-                <tooltip-label :title="$t('label.cachemode')" :tooltip="apiParams.cachemode.description"/>
-              </template>
-              <a-radio-group
-                v-model:value="form.cachemode"
-                buttonStyle="solid"
-                @change="selected => { handleCacheModeChange(selected.target.value) }">
-                <a-radio-button value="none">
-                  {{ $t('label.nodiskcache') }}
-                </a-radio-button>
-                <a-radio-button value="writeback">
-                  {{ $t('label.writeback') }}
-                </a-radio-button>
-                <a-radio-button value="writethrough">
-                  {{ $t('label.writethrough') }}
-                </a-radio-button>
-                <a-radio-button value="hypervisor_default">
-                  {{ $t('label.hypervisor.default') }}
-                </a-radio-button>
-              </a-radio-group>
-            </a-form-item>
-            <a-form-item :label="$t('label.qostype')" name="qostype" ref="qostype">
-              <a-radio-group
-                v-model:value="form.qostype"
-                buttonStyle="solid"
-                @change="selected => { handleQosTypeChange(selected.target.value) }">
-                <a-radio-button value="">
-                  {{ $t('label.none') }}
-                </a-radio-button>
-                <a-radio-button value="hypervisor">
-                  {{ $t('label.hypervisor') }}
-                </a-radio-button>
-                <a-radio-button value="storage">
-                  {{ $t('label.storage') }}
-                </a-radio-button>
-              </a-radio-group>
-            </a-form-item>
-            <a-row :gutter="12" v-if="qosType === 'hypervisor'">
-              <a-col :md="12" :lg="12">
-                <a-form-item name="diskbytesreadrate" ref="diskbytesreadrate">
-                  <template #label>
-                    <tooltip-label :title="$t('label.diskbytesreadrate')" :tooltip="apiParams.bytesreadrate.description"/>
-                  </template>
-                  <a-input
-                    v-model:value="form.diskbytesreadrate"
-                    :placeholder="apiParams.bytesreadrate.description"/>
-                </a-form-item>
-              </a-col>
-              <a-col :md="12" :lg="12">
-                <a-form-item name="diskbyteswriterate" ref="diskbyteswriterate">
-                  <template #label>
-                    <tooltip-label :title="$t('label.diskbyteswriterate')" :tooltip="apiParams.byteswriterate.description"/>
-                  </template>
-                  <a-input
-                    v-model:value="form.diskbyteswriterate"
-                    :placeholder="apiParams.byteswriterate.description"/>
-                </a-form-item>
-              </a-col>
-            </a-row>
-            <a-row :gutter="12" v-if="qosType === 'hypervisor'">
-              <a-col :md="12" :lg="12">
-                <a-form-item name="diskiopsreadrate" ref="diskiopsreadrate">
-                  <template #label>
-                    <tooltip-label :title="$t('label.diskiopsreadrate')" :tooltip="apiParams.iopsreadrate.description"/>
-                  </template>
-                  <a-input
-                    v-model:value="form.diskiopsreadrate"
-                    :placeholder="apiParams.iopsreadrate.description"/>
-                </a-form-item>
-              </a-col>
-              <a-col :md="12" :lg="12">
-                <a-form-item name="diskiopswriterate" ref="diskiopswriterate">
-                  <template #label>
-                    <tooltip-label :title="$t('label.diskiopswriterate')" :tooltip="apiParams.iopswriterate.description"/>
-                  </template>
-                  <a-input
-                    v-model:value="form.diskiopswriterate"
-                    :placeholder="apiParams.iopswriterate.description"/>
-                </a-form-item>
-              </a-col>
-            </a-row>
-            <a-form-item v-if="!isSystem && qosType === 'storage'" name="iscustomizeddiskiops" ref="iscustomizeddiskiops">
-              <template #label>
-                <tooltip-label :title="$t('label.iscustomizeddiskiops')" :tooltip="apiParams.customizediops.description"/>
-              </template>
-              <a-switch v-model:checked="form.iscustomizeddiskiops" :checked="isCustomizedDiskIops" @change="val => { isCustomizedDiskIops = val }" />
-            </a-form-item>
-            <a-row :gutter="12" v-if="qosType === 'storage' && !isCustomizedDiskIops">
-              <a-col :md="12" :lg="12">
-                <a-form-item name="diskiopsmin" ref="diskiopsmin">
-                  <template #label>
-                    <tooltip-label :title="$t('label.diskiopsmin')" :tooltip="apiParams.miniops.description"/>
-                  </template>
-                  <a-input
-                    v-model:value="form.diskiopsmin"
-                    :placeholder="apiParams.miniops.description"/>
-                </a-form-item>
-              </a-col>
-              <a-col :md="12" :lg="12">
-                <a-form-item name="diskiopsmax" ref="diskiopsmax">
-                  <template #label>
-                    <tooltip-label :title="$t('label.diskiopsmax')" :tooltip="apiParams.maxiops.description"/>
-                  </template>
-                  <a-input
-                    v-model:value="form.diskiopsmax"
-                    :placeholder="apiParams.maxiops.description"/>
-                </a-form-item>
-              </a-col>
-            </a-row>
-            <a-form-item v-if="!isSystem && qosType === 'storage'" name="hypervisorsnapshotreserve" ref="hypervisorsnapshotreserve">
-              <template #label>
-                <tooltip-label :title="$t('label.hypervisorsnapshotreserve')" :tooltip="apiParams.hypervisorsnapshotreserve.description"/>
-              </template>
-              <a-input
-                v-model:value="form.hypervisorsnapshotreserve"
-                :placeholder="apiParams.hypervisorsnapshotreserve.description"/>
-            </a-form-item>
-            <a-row :gutter="12">
-              <a-col :md="12" :lg="12">
-                <a-form-item v-if="apiParams.rootdisksize" name="rootdisksize" ref="rootdisksize">
-                  <template #label>
-                    <tooltip-label :title="$t('label.root.disk.size')" :tooltip="apiParams.rootdisksize.description"/>
-                  </template>
-                  <a-input
-                    v-model:value="form.rootdisksize"
-                    :placeholder="apiParams.rootdisksize.description"/>
-                </a-form-item>
-              </a-col>
-              <a-col :md="12" :lg="12">
-                <a-form-item v-if="isAdmin() || isDomainAdminAllowedToInformTags" name="storagetags" ref="storagetags">
-                  <template #label>
-                    <tooltip-label :title="$t('label.storagetags')" :tooltip="apiParams.tags.description"/>
-                  </template>
-                  <a-select
-                    mode="tags"
-                    :getPopupContainer="(trigger) => trigger.parentNode"
-                    v-model:value="form.storagetags"
-                    showSearch
-                    optionFilterProp="value"
-                    :filterOption="(input, option) => {
-                      return option.value.toLowerCase().indexOf(input.toLowerCase()) >= 0
-                    }"
-                    :loading="storageTagLoading"
-                    :placeholder="apiParams.tags.description"
-                    v-if="isAdmin() || isDomainAdminAllowedToInformTags">
-                    <a-select-option v-for="opt in storageTags" :key="opt">
-                      {{ opt }}
-                    </a-select-option>
-                  </a-select>
-                </a-form-item>
-              </a-col>
-            </a-row>
-            <a-form-item name="encryptdisk" ref="encryptdisk">
-              <template #label>
-                <tooltip-label :title="$t('label.encrypt')" :tooltip="apiParams.encryptroot.description" />
-              </template>
-              <a-switch v-model:checked="form.encryptdisk" :checked="encryptdisk" @change="val => { encryptdisk = val }" />
-            </a-form-item>
-          </span>
-          <span v-if="!computeonly">
-            <a-form-item>
-              <a-button type="primary" @click="addDiskOffering()"> {{ $t('label.add.disk.offering') }} </a-button>
-              <a-modal
-                :visible="showDiskOfferingModal"
-                :title="$t('label.add.disk.offering')"
-                :footer="null"
-                centered
-                :closable="true"
-                @cancel="closeDiskOfferingModal"
-                width="auto">
-                <add-disk-offering @close-action="closeDiskOfferingModal()" @publish-disk-offering-id="($event) => updateSelectedDiskOffering($event)"/>
-              </a-modal>
-              <br /><br />
-              <a-form-item :label="$t('label.disk.offerings')" name="diskofferingid" ref="diskofferingid">
-                <a-select
-                  :getPopupContainer="(trigger) => trigger.parentNode"
-                  v-model:value="form.diskofferingid"
-                  :loading="loading"
-                  :placeholder="$t('label.diskoffering')">
-                  <a-select-option
-                    v-for="(offering, index) in diskOfferings"
-                    :value="offering.id"
-                    :key="index">
-                    {{ offering.displaytext || offering.name }}
-                  </a-select-option>
-                </a-select>
-              </a-form-item>
-            </a-form-item>
-          </span>
-          <a-form-item name="diskofferingstrictness" ref="diskofferingstrictness">
-            <template #label>
-              <tooltip-label :title="$t('label.diskofferingstrictness')" :tooltip="apiParams.diskofferingstrictness.description"/>
-            </template>
-            <a-switch v-model:checked="form.diskofferingstrictness" :checked="diskofferingstrictness" @change="val => { diskofferingstrictness = val }"/>
-          </a-form-item>
-        </a-card>
-        <a-form-item name="externaldetails" ref="externaldetails">
-          <template #label>
-            <tooltip-label :title="$t('label.externaldetails')" :tooltip="apiParams.externaldetails.description"/>
-          </template>
-          <a-switch v-model:checked="externalDetailsEnabled" @change="onExternalDetailsEnabledChange"/>
-          <a-card v-if="externalDetailsEnabled" style="margin-top: 10px">
-            <div style="margin-bottom: 10px">{{ $t('message.add.orchestrator.resource.details') }}</div>
-            <details-input
-              v-model:value="form.externaldetails" />
-          </a-card>
-        </a-form-item>
-      </a-form>
-      <br/>
-      <div :span="24" class="action-button">
-        <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
-        <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
-      </div>
+        :apiParams="apiParams"
+        :isSystem="isSystem"
+        :isAdmin="isAdmin"
+        :ref="formRef"
+        @submit="handleSubmit">
+        <template #form-actions>
+          <br/>
+          <div :span="24" class="action-button">
+            <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
+            <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+          </div>
+        </template>
+      </ComputeOfferingForm>
     </a-spin>
   </div>
 </template>
 
 <script>
-import { ref, reactive, toRaw } from 'vue'
+import ComputeOfferingForm from '@/components/offering/ComputeOfferingForm'
+import { ref, reactive } from 'vue'
 import { getAPI, postAPI } from '@/api'
 import AddDiskOffering from '@/views/offering/AddDiskOffering'
 import { isAdmin } from '@/role'
@@ -683,6 +54,7 @@ export default {
   name: 'AddServiceOffering',
   mixins: [mixinForm],
   components: {
+    ComputeOfferingForm,
     AddDiskOffering,
     ResourceIcon,
     TooltipLabel,
@@ -882,9 +254,6 @@ export default {
         this.gpuCardLoading = false
       })
     },
-    addDiskOffering () {
-      this.showDiskOfferingModal = true
-    },
     fetchDiskOfferings () {
       this.diskOfferingLoading = true
       getAPI('listDiskOfferings', {
@@ -898,47 +267,18 @@ export default {
         this.diskOfferingLoading = false
       })
     },
-    updateSelectedDiskOffering (id) {
-      if (id) {
-        this.selectedDiskOfferingId = id
-      }
-    },
-    closeDiskOfferingModal () {
-      this.fetchDiskOfferings()
-      this.showDiskOfferingModal = false
-    },
     isAdmin () {
       return isAdmin()
     },
     isDomainAdmin () {
       return ['DomainAdmin'].includes(this.$store.getters.userInfo.roletype)
     },
-    getVgpuProfileDetails (vgpuProfile) {
-      let output = '('
-      if (vgpuProfile?.videoram) {
-        output += `${vgpuProfile.videoram} MB`
-      }
-      if (vgpuProfile?.maxresolutionx && vgpuProfile?.maxresolutiony) {
-        if (output !== '(') {
-          output += ', '
-        }
-        output += `${vgpuProfile.maxresolutionx}x${vgpuProfile.maxresolutiony}`
-      }
-      output += ')'
-      if (output === '()') {
-        return ''
-      }
-      return output
-    },
     checkIfDomainAdminIsAllowedToInformTag () {
       const params = { id: store.getters.userInfo.accountid }
       getAPI('isAccountAllowedToCreateOfferingsWithTags', params).then(json => {
         this.isDomainAdminAllowedToInformTags = json.isaccountallowedtocreateofferingswithtagsresponse.isallowed.isallowed
       })
     },
-    arrayHasItems (array) {
-      return array !== null && array !== undefined && Array.isArray(array) && array.length > 0
-    },
     fetchDomainData () {
       const params = {}
       params.listAll = true
@@ -990,83 +330,13 @@ export default {
         this.deploymentPlannerLoading = false
       })
     },
-    fetchvSphereStoragePolicies (zoneIndex) {
-      if (zoneIndex === 0 || this.form.zoneid.length > 1) {
-        this.storagePolicies = null
-        return
-      }
-      const zoneid = this.zones[zoneIndex].id
-      if ('importVsphereStoragePolicies' in this.$store.getters.apis) {
-        this.storagePolicies = []
-        getAPI('listVsphereStoragePolicies', {
-          zoneid: zoneid
-        }).then(response => {
-          this.storagePolicies = response.listvspherestoragepoliciesresponse.StoragePolicy || []
-        })
-      }
-    },
-    handleStorageTypeChange (val) {
-      this.storageType = val
-    },
-    handleProvisioningTypeChange (val) {
-      this.provisioningType = val
-    },
-    handleCacheModeChange (val) {
-      this.cacheMode = val
-    },
-    handleComputeOfferingTypeChange (val) {
-      this.offeringType = val
-    },
-    handleQosTypeChange (val) {
-      this.qosType = val
-    },
-    handleDeploymentPlannerChange (planner) {
-      this.selectedDeploymentPlanner = planner
-      this.plannerModeVisible = false
-      if (this.selectedDeploymentPlanner === 'ImplicitDedicationPlanner') {
-        this.plannerModeVisible = isAdmin()
-      }
-    },
-    handlePlannerModeChange (val) {
-      this.plannerMode = val
-    },
-    handleGpuCardChange (cardId) {
-      this.selectedGpuCard = cardId
-      this.form.vgpuprofile = ''
-      if (cardId && cardId !== '') {
-        this.fetchVgpuProfiles(cardId)
-      } else {
-        this.vgpuProfiles = []
-        this.form.gpucount = '1'
-      }
-    },
-    fetchVgpuProfiles (gpuCardId) {
-      this.vgpuProfileLoading = true
-      this.vgpuProfiles = []
-      getAPI('listVgpuProfiles', {
-        gpucardid: gpuCardId
-      }).then(json => {
-        this.vgpuProfiles = json.listvgpuprofilesresponse.vgpuprofile || []
-        this.form.vgpuprofile = this.vgpuProfiles.length > 0 ? this.vgpuProfiles[0].id : ''
-      }).catch(error => {
-        console.error('Error fetching vGPU profiles:', error)
-        this.vgpuProfiles = []
-      }).finally(() => {
-        this.vgpuProfileLoading = false
-      })
-    },
-    onExternalDetailsEnabledChange (val) {
-      if (val || !this.form.externaldetails) {
-        return
-      }
-      this.form.externaldetails = undefined
-    },
     handleSubmit (e) {
-      e.preventDefault()
+      if (e && e.preventDefault) {
+        e.preventDefault()
+      }
       if (this.loading) return
-      this.formRef.value.validate().then(() => {
-        const formRaw = toRaw(this.form)
-        const values = this.handleRemoveFields(formRaw)
+
+      this.formRef.value.validate().then((values) => {
         var params = {
           issystem: this.isSystem,
           name: values.name,
@@ -1089,7 +359,6 @@ export default {
           params.diskofferingid = values.diskofferingid
         }
 
-        // Add GPU parameters
         if (values.vgpuprofile) {
           params.vgpuprofileid = values.vgpuprofile
         }
@@ -1100,17 +369,16 @@ export default {
           params.gpudisplay = values.gpudisplay
         }
 
-        // custom fields (begin)
         if (values.offeringtype === 'fixed') {
           params.cpunumber = values.cpunumber
           params.cpuspeed = values.cpuspeed
           params.memory = values.memory
         } else {
           if (values.cpuspeed != null &&
-              values.mincpunumber != null &&
-              values.maxcpunumber != null &&
-              values.minmemory != null &&
-              values.maxmemory != null) {
+             values.mincpunumber != null &&
+             values.maxcpunumber != null &&
+             values.minmemory != null &&
+             values.maxmemory != null) {
             params.cpuspeed = values.cpuspeed
             params.mincpunumber = values.mincpunumber
             params.maxcpunumber = values.maxcpunumber
@@ -1118,7 +386,6 @@ export default {
             params.maxmemory = values.maxmemory
           }
         }
-        // custom fields (end)
 
         if (values.networkrate != null && values.networkrate.length > 0) {
           params.networkrate = values.networkrate
@@ -1137,7 +404,7 @@ export default {
               params.maxiops = values.diskiopsmax
             }
             if (values.hypervisorsnapshotreserve !== undefined &&
-              values.hypervisorsnapshotreserve != null && values.hypervisorsnapshotreserve.length > 0) {
+             values.hypervisorsnapshotreserve != null && values.hypervisorsnapshotreserve.length > 0) {
               params.hypervisorsnapshotreserve = values.hypervisorsnapshotreserve
             }
           }
@@ -1163,15 +430,15 @@ export default {
           params.hosttags = values.hosttags
         }
         if ('deploymentplanner' in values &&
-          values.deploymentplanner !== undefined &&
-          values.deploymentplanner != null && values.deploymentplanner.length > 0) {
+         values.deploymentplanner !== undefined &&
+         values.deploymentplanner != null && values.deploymentplanner.length > 0) {
           params.deploymentplanner = values.deploymentplanner
         }
         if ('deploymentplanner' in values &&
-          values.deploymentplanner !== undefined &&
-          values.deploymentplanner === 'ImplicitDedicationPlanner' &&
-          values.plannermode !== undefined &&
-          values.plannermode !== '') {
+         values.deploymentplanner !== undefined &&
+         values.deploymentplanner === 'ImplicitDedicationPlanner' &&
+         values.plannermode !== undefined &&
+         values.plannermode !== '') {
           params['serviceofferingdetails[0].key'] = 'ImplicitDedicationMode'
           params['serviceofferingdetails[0].value'] = values.plannermode
         }
@@ -1247,17 +514,6 @@ export default {
         return Promise.reject(this.$t('message.error.number'))
       }
       return Promise.resolve()
-    },
-    onToggleLeaseData () {
-      if (this.showLeaseOptions === false) {
-        this.leaseduration = undefined
-        this.leaseexpiryaction = undefined
-      } else {
-        this.leaseduration = this.leaseduration !== undefined ? this.leaseduration : this.defaultLeaseDuration
-        this.leaseexpiryaction = this.leaseexpiryaction !== undefined ? this.leaseexpiryaction : this.defaultLeaseExpiryAction
-      }
-      this.form.leaseduration = this.leaseduration
-      this.form.leaseexpiryaction = this.leaseexpiryaction
     }
   }
 }
diff --git a/ui/src/views/offering/AddDiskOffering.vue b/ui/src/views/offering/AddDiskOffering.vue
index bfdd778d449..0013425d106 100644
--- a/ui/src/views/offering/AddDiskOffering.vue
+++ b/ui/src/views/offering/AddDiskOffering.vue
@@ -18,485 +18,57 @@
 <template>
   <div class="form-layout" v-ctrl-enter="handleSubmit">
     <a-spin :spinning="loading">
-      <a-form
-        :ref="formRef"
-        :model="form"
-        :rules="rules"
-        @finish="handleSubmit"
-        layout="vertical"
-       >
-        <a-form-item name="name" ref="name">
-          <template #label>
-            <tooltip-label :title="$t('label.name')" :tooltip="apiParams.name.description"/>
-          </template>
-          <a-input
-            v-focus="true"
-            v-model:value="form.name"
-            :placeholder="apiParams.name.description"/>
-        </a-form-item>
-        <a-form-item name="displaytext" ref="displaytext">
-          <template #label>
-            <tooltip-label :title="$t('label.displaytext')" :tooltip="apiParams.displaytext.description"/>
-          </template>
-          <a-input
-            v-model:value="form.displaytext"
-            :placeholder="apiParams.displaytext.description"/>
-        </a-form-item>
-        <a-form-item name="storagetype" ref="storagetype">
-          <template #label>
-            <tooltip-label :title="$t('label.storagetype')" :tooltip="apiParams.storagetype.description"/>
-          </template>
-          <a-radio-group
-            v-model:value="form.storagetype"
-            buttonStyle="solid">
-            <a-radio-button value="shared">
-              {{ $t('label.shared') }}
-            </a-radio-button>
-            <a-radio-button value="local">
-              {{ $t('label.local') }}
-            </a-radio-button>
-          </a-radio-group>
-        </a-form-item>
-        <a-form-item name="provisioningtype" ref="provisioningtype">
-          <template #label>
-            <tooltip-label :title="$t('label.provisioningtype')" :tooltip="apiParams.provisioningtype.description"/>
-          </template>
-          <a-radio-group
-            v-model:value="form.provisioningtype"
-            buttonStyle="solid">
-            <a-radio-button value="thin">
-              {{ $t('label.provisioningtype.thin') }}
-            </a-radio-button>
-            <a-radio-button value="sparse">
-              {{ $t('label.provisioningtype.sparse') }}
-            </a-radio-button>
-            <a-radio-button value="fat">
-              {{ $t('label.provisioningtype.fat') }}
-            </a-radio-button>
-          </a-radio-group>
-        </a-form-item>
-        <a-form-item name="encryptdisk" ref="encryptdisk">
-          <template #label>
-            <tooltip-label :title="$t('label.encrypt')" :tooltip="apiParams.encrypt.description" />
-          </template>
-          <a-switch v-model:checked="form.encryptdisk" :checked="encryptdisk" @change="val => { encryptdisk = val }" />
-        </a-form-item>
-        <a-form-item name="disksizestrictness" ref="disksizestrictness">
-          <template #label>
-            <tooltip-label :title="$t('label.disksizestrictness')" :tooltip="apiParams.disksizestrictness.description" />
-          </template>
-          <a-switch v-model:checked="form.disksizestrictness" :checked="disksizestrictness" @change="val => { disksizestrictness = val }" />
-        </a-form-item>
-        <a-form-item name="customdisksize" ref="customdisksize">
-          <template #label>
-            <tooltip-label :title="$t('label.customdisksize')" :tooltip="apiParams.customized.description"/>
-          </template>
-          <a-switch v-model:checked="form.customdisksize" />
-        </a-form-item>
-        <a-form-item v-if="!form.customdisksize" name="disksize" ref="disksize">
-          <template #label>
-            <tooltip-label :title="$t('label.disksize')" :tooltip="apiParams.disksize.description"/>
-          </template>
-          <a-input
-            v-model:value="form.disksize"
-            :placeholder="apiParams.disksize.description"/>
-        </a-form-item>
-        <a-form-item name="qostype" ref="qostype" :label="$t('label.qostype')">
-          <a-radio-group
-            v-model:value="form.qostype"
-            buttonStyle="solid">
-            <a-radio-button value="">
-              {{ $t('label.none') }}
-            </a-radio-button>
-            <a-radio-button value="hypervisor">
-              {{ $t('label.hypervisor') }}
-            </a-radio-button>
-            <a-radio-button value="storage">
-              {{ $t('label.storage') }}
-            </a-radio-button>
-          </a-radio-group>
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'hypervisor'" name="diskbytesreadrate" ref="diskbytesreadrate">
-          <template #label>
-            <tooltip-label :title="$t('label.diskbytesreadrate')" :tooltip="apiParams.bytesreadrate.description"/>
-          </template>
-          <a-input
-            v-model:value="form.diskbytesreadrate"
-            :placeholder="apiParams.bytesreadrate.description"/>
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'hypervisor'" name="diskbytesreadratemax" ref="diskbytesreadratemax">
-          <template #label>
-            <tooltip-label :title="$t('label.diskbytesreadratemax')" :tooltip="apiParams.bytesreadratemax.description"/>
-          </template>
-          <a-input
-            v-model:value="form.diskbytesreadratemax"
-            :placeholder="apiParams.bytesreadratemax.description"/>
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'hypervisor'" name="diskbyteswriterate" ref="diskbyteswriterate">
-          <template #label>
-            <tooltip-label :title="$t('label.diskbyteswriterate')" :tooltip="apiParams.byteswriterate.description"/>
-          </template>
-          <a-input
-            v-model:value="form.diskbyteswriterate"
-            :placeholder="apiParams.byteswriterate.description"/>
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'hypervisor'" name="diskbyteswriteratemax" ref="diskbyteswriteratemax">
-          <template #label>
-            <tooltip-label :title="$t('label.diskbyteswriteratemax')" :tooltip="apiParams.byteswriteratemax.description"/>
-          </template>
-          <a-input
-            v-model:value="form.diskbyteswriteratemax"
-            :placeholder="apiParams.byteswriteratemax.description"/>
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'hypervisor'" name="diskiopsreadrate" ref="diskiopsreadrate">
-          <template #label>
-            <tooltip-label :title="$t('label.diskiopsreadrate')" :tooltip="apiParams.iopsreadrate.description"/>
-          </template>
-          <a-input
-            v-model:value="form.diskiopsreadrate"
-            :placeholder="apiParams.iopsreadrate.description"/>
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'hypervisor'" name="diskiopswriterate" ref="diskiopswriterate">
-          <template #label>
-            <tooltip-label :title="$t('label.diskiopswriterate')" :tooltip="apiParams.iopswriterate.description"/>
-          </template>
-          <a-input
-            v-model:value="form.diskiopswriterate"
-            :placeholder="apiParams.iopswriterate.description"/>
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'storage'" name="iscustomizeddiskiops" ref="iscustomizeddiskiops">
-          <template #label>
-            <tooltip-label :title="$t('label.iscustomizeddiskiops')" :tooltip="apiParams.customizediops.description"/>
-          </template>
-          <a-switch v-model:checked="form.iscustomizeddiskiops" />
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'storage' && !form.iscustomizeddiskiops" name="diskiopsmin" ref="diskiopsmin">
-          <template #label>
-            <tooltip-label :title="$t('label.diskiopsmin')" :tooltip="apiParams.miniops.description"/>
-          </template>
-          <a-input
-            v-model:value="form.diskiopsmin"
-            :placeholder="apiParams.miniops.description"/>
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'storage' && !form.iscustomizeddiskiops" name="diskiopsmax" ref="diskiopsmax">
-          <template #label>
-            <tooltip-label :title="$t('label.diskiopsmax')" :tooltip="apiParams.maxiops.description"/>
-          </template>
-          <a-input
-            v-model:value="form.diskiopsmax"
-            :placeholder="apiParams.maxiops.description"/>
-        </a-form-item>
-        <a-form-item v-if="form.qostype === 'storage'" name="hypervisorsnapshotreserve" ref="hypervisorsnapshotreserve">
-          <template #label>
-            <tooltip-label :title="$t('label.hypervisorsnapshotreserve')" :tooltip="apiParams.hypervisorsnapshotreserve.description"/>
-          </template>
-          <a-input
-            v-model:value="form.hypervisorsnapshotreserve"
-            :placeholder="apiParams.hypervisorsnapshotreserve.description"/>
-        </a-form-item>
-        <a-form-item name="writecachetype" ref="writecachetype">
-          <template #label>
-            <tooltip-label :title="$t('label.writecachetype')" :tooltip="apiParams.cachemode.description"/>
-          </template>
-          <a-radio-group
-            v-model:value="form.writecachetype"
-            buttonStyle="solid"
-            @change="selected => { handleWriteCacheTypeChange(selected.target.value) }">
-            <a-radio-button value="none">
-              {{ $t('label.nodiskcache') }}
-            </a-radio-button>
-            <a-radio-button value="writeback">
-              {{ $t('label.writeback') }}
-            </a-radio-button>
-            <a-radio-button value="writethrough">
-              {{ $t('label.writethrough') }}
-            </a-radio-button>
-            <a-radio-button value="hypervisor_default">
-              {{ $t('label.hypervisor.default') }}
-            </a-radio-button>
-          </a-radio-group>
-        </a-form-item>
-        <a-form-item v-if="isAdmin() || isDomainAdminAllowedToInformTags" name="tags" ref="tags">
-          <template #label>
-            <tooltip-label :title="$t('label.storagetags')" :tooltip="apiParams.tags.description"/>
-          </template>
-          <a-select
-            :getPopupContainer="(trigger) => trigger.parentNode"
-            mode="tags"
-            v-model:value="form.tags"
-            showSearch
-            optionFilterProp="value"
-            :filterOption="(input, option) => {
-              return option.value.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }"
-            :loading="storageTagLoading"
-            :placeholder="apiParams.tags.description"
-            v-if="isAdmin() || isDomainAdminAllowedToInformTags">
-            <a-select-option v-for="(opt) in storageTags" :key="opt">
-              {{ opt }}
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-form-item :label="$t('label.ispublic')" v-show="isAdmin()" name="ispublic" ref="ispublic">
-          <a-switch v-model:checked="form.ispublic" @change="val => { isPublic = val }" />
-        </a-form-item>
-        <a-form-item v-if="!isPublic" name="domainid" ref="domainid">
-          <template #label>
-            <tooltip-label :title="$t('label.domainid')" :tooltip="apiParams.domainid.description"/>
-          </template>
-          <a-select
-            mode="multiple"
-            :getPopupContainer="(trigger) => trigger.parentNode"
-            v-model:value="form.domainid"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }"
-            :loading="domainLoading"
-            :placeholder="apiParams.domainid.description">
-            <a-select-option v-for="(opt, optIndex) in domains" :key="optIndex" :label="opt.path || opt.name || opt.description">
-              <span>
-                <resource-icon v-if="opt && opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
-                <block-outlined v-else style="margin-right: 5px" />
-                {{ opt.path || opt.name || opt.description }}
-              </span>
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-form-item name="zoneid" ref="zoneid">
-          <template #label>
-            <tooltip-label :title="$t('label.zoneid')" :tooltip="apiParams.zoneid.description"/>
-          </template>
-          <a-select
-            id="zone-selection"
-            mode="multiple"
-            :getPopupContainer="(trigger) => trigger.parentNode"
-            v-model:value="form.zoneid"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }"
-            @select="val => fetchvSphereStoragePolicies(val)"
-            :loading="zoneLoading"
-            :placeholder="apiParams.zoneid.description">
-            <a-select-option v-for="(opt, optIndex) in zones" :key="optIndex" :label="opt.name || opt.description">
-              <span>
-                <resource-icon v-if="opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
-                <global-outlined v-else style="margin-right: 5px"/>
-                {{ opt.name || opt.description }}
-              </span>
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-        <a-form-item v-if="'listVsphereStoragePolicies' in $store.getters.apis && storagePolicies !== null" name="storagepolicy" ref="storagepolicy">
-          <template #label>
-            <tooltip-label :title="$t('label.vmware.storage.policy')" :tooltip="apiParams.storagepolicy.description"/>
-          </template>
-          <a-select
-            :getPopupContainer="(trigger) => trigger.parentNode"
-            v-model:value="form.storagepolicy"
-            :placeholder="apiParams.storagepolicy.description"
-            showSearch
-            optionFilterProp="label"
-            :filterOption="(input, option) => {
-              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
-            }" >
-            <a-select-option v-for="policy in storagePolicies" :key="policy.id" :label="policy.name || policy.id || ''">
-              {{ policy.name || policy.id }}
-            </a-select-option>
-          </a-select>
-        </a-form-item>
-      </a-form>
-      <div :span="24" class="action-button">
-        <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
-        <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
-      </div>
+      <DiskOfferingForm
+        ref="formRef"
+        :initialValues="form"
+        :apiParams="apiParams"
+        :isAdmin="isAdmin"
+        @submit="handleSubmit">
+        <template #form-actions>
+          <div :span="24" class="action-button">
+            <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
+            <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+          </div>
+        </template>
+      </DiskOfferingForm>
     </a-spin>
   </div>
 </template>
 
 <script>
-import { getAPI, postAPI } from '@/api'
-import { reactive, ref, toRaw } from 'vue'
+import DiskOfferingForm from '@/components/offering/DiskOfferingForm'
+import { reactive } from 'vue'
+import { postAPI } from '@/api'
 import { isAdmin } from '@/role'
-import { mixinForm } from '@/utils/mixin'
-import ResourceIcon from '@/components/view/ResourceIcon'
-import TooltipLabel from '@/components/widgets/TooltipLabel'
-import store from '@/store'
 
 export default {
   name: 'AddDiskOffering',
-  mixins: [mixinForm],
   components: {
-    ResourceIcon,
-    TooltipLabel
+    DiskOfferingForm
   },
   data () {
     return {
-      selectedDomains: [],
-      storageTags: [],
-      storagePolicies: null,
-      storageTagLoading: false,
-      isPublic: true,
-      isEncrypted: false,
-      domains: [],
-      domainLoading: false,
-      zones: [],
-      zoneLoading: false,
-      loading: false,
-      disksizestrictness: false,
-      encryptdisk: false,
-      isDomainAdminAllowedToInformTags: false
+      formRef: null,
+      form: reactive({}),
+      loading: false
     }
   },
   beforeCreate () {
     this.apiParams = this.$getApiParams('createDiskOffering')
   },
   created () {
-    this.zones = [
-      {
-        id: null,
-        name: this.$t('label.all.zone')
-      }
-    ]
-    this.isPublic = isAdmin()
-    this.initForm()
-    this.fetchData()
   },
   methods: {
-    initForm () {
-      this.formRef = ref()
-      this.form = reactive({
-        storagetype: 'shared',
-        provisioningtype: 'thin',
-        customdisksize: true,
-        writecachetype: 'none',
-        qostype: '',
-        ispublic: this.isPublic,
-        disksizestrictness: this.disksizestrictness,
-        encryptdisk: this.encryptdisk
-      })
-      this.rules = reactive({
-        name: [{ required: true, message: this.$t('message.error.required.input') }],
-        disksize: [
-          { required: true, message: this.$t('message.error.required.input') },
-          { type: 'number', validator: this.validateNumber }
-        ],
-        diskbytesreadrate: [{ type: 'number', validator: this.validateNumber }],
-        diskbytesreadratemax: [{ type: 'number', validator: this.validateNumber }],
-        diskbyteswriterate: [{ type: 'number', validator: this.validateNumber }],
-        diskbyteswriteratemax: [{ type: 'number', validator: this.validateNumber }],
-        diskiopsreadrate: [{ type: 'number', validator: this.validateNumber }],
-        diskiopswriterate: [{ type: 'number', validator: this.validateNumber }],
-        diskiopsmin: [{ type: 'number', validator: this.validateNumber }],
-        diskiopsmax: [{ type: 'number', validator: this.validateNumber }],
-        hypervisorsnapshotreserve: [{ type: 'number', validator: this.validateNumber }],
-        domainid: [{ type: 'array', required: true, message: this.$t('message.error.select') }],
-        zoneid: [{
-          type: 'array',
-          validator: async (rule, value) => {
-            if (value && value.length > 1 && value.indexOf(0) !== -1) {
-              return Promise.reject(this.$t('message.error.zone.combined'))
-            }
-            return Promise.resolve()
-          }
-        }]
-      })
-    },
-    handleWriteCacheTypeChange (val) {
-      this.form.writeCacheType = val
-    },
-    fetchData () {
-      this.fetchDomainData()
-      this.fetchZoneData()
-      if (isAdmin()) {
-        this.fetchStorageTagData()
-      }
-      if (this.isDomainAdmin()) {
-        this.checkIfDomainAdminIsAllowedToInformTag()
-        if (this.isDomainAdminAllowedToInformTags) {
-          this.fetchStorageTagData()
-        }
-      }
-    },
-    isDomainAdmin () {
-      return ['DomainAdmin'].includes(this.$store.getters.userInfo.roletype)
-    },
     isAdmin () {
       return isAdmin()
     },
-    checkIfDomainAdminIsAllowedToInformTag () {
-      const params = { id: store.getters.userInfo.accountid }
-      getAPI('isAccountAllowedToCreateOfferingsWithTags', params).then(json => {
-        this.isDomainAdminAllowedToInformTags = json.isaccountallowedtocreateofferingswithtagsresponse.isallowed.isallowed
-      })
-    },
-    arrayHasItems (array) {
-      return array !== null && array !== undefined && Array.isArray(array) && array.length > 0
-    },
-    fetchDomainData () {
-      const params = {}
-      params.listAll = true
-      params.showicon = true
-      params.details = 'min'
-      this.domainLoading = true
-      getAPI('listDomains', params).then(json => {
-        const listDomains = json.listdomainsresponse.domain
-        this.domains = this.domains.concat(listDomains)
-      }).finally(() => {
-        this.domainLoading = false
-      })
-    },
-    fetchZoneData () {
-      const params = {}
-      params.showicon = true
-      this.zoneLoading = true
-      getAPI('listZones', params).then(json => {
-        const listZones = json.listzonesresponse.zone
-        if (listZones) {
-          this.zones = this.zones.concat(listZones)
-        }
-      }).finally(() => {
-        this.zoneLoading = false
-      })
-    },
-    fetchStorageTagData () {
-      const params = {}
-      this.storageTagLoading = true
-      getAPI('listStorageTags', params).then(json => {
-        const tags = json.liststoragetagsresponse.storagetag || []
-        for (const tag of tags) {
-          if (!this.storageTags.includes(tag.name)) {
-            this.storageTags.push(tag.name)
-          }
-        }
-      }).finally(() => {
-        this.storageTagLoading = false
-      })
-    },
-    fetchvSphereStoragePolicies (zoneIndex) {
-      if (zoneIndex === 0 || this.form.zoneid.length > 1) {
-        this.storagePolicies = null
-        return
-      }
-      const zoneid = this.zones[zoneIndex].id
-      if ('importVsphereStoragePolicies' in this.$store.getters.apis) {
-        this.storagePolicies = []
-        getAPI('listVsphereStoragePolicies', {
-          zoneid: zoneid
-        }).then(response => {
-          this.storagePolicies = response.listvspherestoragepoliciesresponse.StoragePolicy || []
-        })
-      }
-    },
     handleSubmit (e) {
-      e.preventDefault()
+      if (e && e.preventDefault) {
+        e.preventDefault()
+      }
       if (this.loading) return
-      this.formRef.value.validate().then(() => {
-        const formRaw = toRaw(this.form)
-        const values = this.handleRemoveFields(formRaw)
+
+      this.$refs.formRef.validate().then((values) => {
         var params = {
           name: values.name,
           displaytext: values.displaytext,
@@ -553,8 +125,9 @@ export default {
           var domainId = null
           if (domainIndexes && domainIndexes.length > 0) {
             var domainIds = []
+            const domains = this.$refs.formRef.domains
             for (var i = 0; i < domainIndexes.length; i++) {
-              domainIds = domainIds.concat(this.domains[domainIndexes[i]].id)
+              domainIds.push(domains[domainIndexes[i]].id)
             }
             domainId = domainIds.join(',')
           }
@@ -566,8 +139,9 @@ export default {
         var zoneId = null
         if (zoneIndexes && zoneIndexes.length > 0) {
           var zoneIds = []
+          const zones = this.$refs.formRef.zones
           for (var j = 0; j < zoneIndexes.length; j++) {
-            zoneIds = zoneIds.concat(this.zones[zoneIndexes[j]].id)
+            zoneIds.push(zones[zoneIndexes[j]].id)
           }
           zoneId = zoneIds.join(',')
         }
@@ -577,6 +151,8 @@ export default {
         if (values.storagepolicy) {
           params.storagepolicy = values.storagepolicy
         }
+
+        this.loading = true
         postAPI('createDiskOffering', params).then(json => {
           this.$emit('publish-disk-offering-id', json?.creatediskofferingresponse?.diskoffering?.id)
           this.$message.success(`${this.$t('message.disk.offering.created')} ${values.name}`)
@@ -591,12 +167,6 @@ export default {
     },
     closeAction () {
       this.$emit('close-action')
-    },
-    async validateNumber (rule, value) {
-      if (value && (isNaN(value) || value <= 0)) {
-        return Promise.reject(this.$t('message.error.number'))
-      }
-      return Promise.resolve()
     }
   }
 }
diff --git a/ui/src/views/offering/AddNetworkOffering.vue b/ui/src/views/offering/AddNetworkOffering.vue
index abb70abda27..d1bbb0f7304 100644
--- a/ui/src/views/offering/AddNetworkOffering.vue
+++ b/ui/src/views/offering/AddNetworkOffering.vue
@@ -588,6 +588,7 @@ import { mixinForm } from '@/utils/mixin'
 import CheckBoxSelectPair from '@/components/CheckBoxSelectPair'
 import ResourceIcon from '@/components/view/ResourceIcon'
 import TooltipLabel from '@/components/widgets/TooltipLabel'
+import { buildServiceCapabilityParams } from '@/composables/useServiceCapabilityParams'
 
 export default {
   name: 'AddNetworkOffering',
@@ -1173,99 +1174,7 @@ export default {
           }
         }
         if (this.selectedServiceProviderMap != null) {
-          var supportedServices = Object.keys(this.selectedServiceProviderMap)
-          params.supportedservices = supportedServices.join(',')
-          for (var k in supportedServices) {
-            params['serviceProviderList[' + k + '].service'] = supportedServices[k]
-            params['serviceProviderList[' + k + '].provider'] = this.selectedServiceProviderMap[supportedServices[k]]
-          }
-          var serviceCapabilityIndex = 0
-          if (supportedServices.includes('Connectivity')) {
-            if (values.supportsstrechedl2subnet === true) {
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].service'] = 'Connectivity'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilitytype'] = 'RegionLevelVpc'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-              serviceCapabilityIndex++
-            }
-            if (values.supportspublicaccess === true) {
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].service'] = 'Connectivity'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilitytype'] = 'DistributedRouter'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-              serviceCapabilityIndex++
-            }
-            delete params.supportsstrechedl2subnet
-            delete params.supportspublicaccess
-          }
-          if (supportedServices.includes('SourceNat')) {
-            if (values.redundantroutercapability === true) {
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].service'] = 'SourceNat'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilitytype'] = 'RedundantRouter'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-              serviceCapabilityIndex++
-            }
-            params['servicecapabilitylist[' + serviceCapabilityIndex + '].service'] = 'SourceNat'
-            params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilitytype'] = 'SupportedSourceNatTypes'
-            params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilityvalue'] = values.sourcenattype
-            serviceCapabilityIndex++
-            delete params.redundantroutercapability
-            delete params.sourcenattype
-          } else if (values.redundantroutercapability === true) {
-            params['serviceCapabilityList[' + serviceCapabilityIndex + '].service'] = 'Gateway'
-            params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilitytype'] = 'RedundantRouter'
-            params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-          }
-          if (supportedServices.includes('SourceNat')) {
-            if (values.elasticip === true) {
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].service'] = 'StaticNat'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilitytype'] = 'ElasticIp'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-              serviceCapabilityIndex++
-            }
-            if (values.elasticip === true || values.associatepublicip === true) {
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].service'] = 'StaticNat'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilitytype'] = 'associatePublicIP'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilityvalue'] = values.associatepublicip
-              serviceCapabilityIndex++
-            }
-            delete params.elasticip
-            delete params.associatepublicip
-          }
-          if (supportedServices.includes('Lb')) {
-            if ('vmautoscalingcapability' in values) {
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].service'] = 'lb'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilitytype'] = 'VmAutoScaling'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilityvalue'] = values.vmautoscalingcapability
-              serviceCapabilityIndex++
-            }
-            if (values.elasticlb === true) {
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].service'] = 'lb'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilitytype'] = 'ElasticLb'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-              serviceCapabilityIndex++
-            }
-            if (values.inlinemode === true && ((this.selectedServiceProviderMap.Lb === 'F5BigIp') || (this.selectedServiceProviderMap.Lb === 'Netscaler'))) {
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].service'] = 'lb'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilitytype'] = 'InlineMode'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilityvalue'] = values.inlinemode
-              serviceCapabilityIndex++
-            }
-            params['servicecapabilitylist[' + serviceCapabilityIndex + '].service'] = 'lb'
-            params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilitytype'] = 'SupportedLbIsolation'
-            params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilityvalue'] = values.isolation
-            serviceCapabilityIndex++
-            if (this.selectedServiceProviderMap.Lb === 'InternalLbVm') {
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].service'] = 'lb'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilitytype'] = 'lbSchemes'
-              params['servicecapabilitylist[' + serviceCapabilityIndex + '].capabilityvalue'] = 'internal'
-              serviceCapabilityIndex++
-            }
-            if ('netscalerservicepackages' in values &&
-              this.registeredServicePackages.length > values.netscalerservicepackages &&
-              'netscalerservicepackagesdescription' in values) {
-              params['details[' + 0 + '].servicepackageuuid'] = this.registeredServicePackages[values.netscalerservicepackages].id
-              params['details[' + 1 + '].servicepackagedescription'] = values.netscalerservicepackagesdescription
-            }
-          }
+          buildServiceCapabilityParams(params, values, this.selectedServiceProviderMap, this.registeredServicePackages)
         } else {
           if (!('supportedservices' in params)) {
             params.supportedservices = ''
diff --git a/ui/src/views/offering/AddVpcOffering.vue b/ui/src/views/offering/AddVpcOffering.vue
index 32aa3e8d358..509109c91c2 100644
--- a/ui/src/views/offering/AddVpcOffering.vue
+++ b/ui/src/views/offering/AddVpcOffering.vue
@@ -194,6 +194,14 @@
             </a-select-option>
           </a-select>
         </a-form-item>
+        <a-form-item
+          name="conservemode"
+          ref="conservemode">
+          <template #label>
+            <tooltip-label :title="$t('label.conservemode')" :tooltip="apiParams.conservemode.description"/>
+          </template>
+          <a-switch v-model:checked="form.conservemode" />
+        </a-form-item>
         <a-form-item name="ispublic" ref="ispublic" :label="$t('label.ispublic')" v-if="isAdmin()">
           <a-switch v-model:checked="form.ispublic" />
         </a-form-item>
@@ -269,6 +277,7 @@ import { mixinForm } from '@/utils/mixin'
 import CheckBoxSelectPair from '@/components/CheckBoxSelectPair'
 import ResourceIcon from '@/components/view/ResourceIcon'
 import TooltipLabel from '@/components/widgets/TooltipLabel'
+import { buildVpcServiceCapabilityParams } from '@/composables/useServiceCapabilityParams'
 
 export default {
   name: 'AddVpcOffering',
@@ -282,7 +291,6 @@ export default {
     return {
       selectedDomains: [],
       selectedZones: [],
-      isConserveMode: true,
       internetProtocolValue: 'ipv4',
       domains: [],
       domainLoading: false,
@@ -328,7 +336,8 @@ export default {
         description: 'Netris',
         enabled: true
       },
-      nsxSupportedServicesMap: {}
+      nsxSupportedServicesMap: {},
+      conservemode: false
     }
   },
   beforeCreate () {
@@ -719,6 +728,7 @@ export default {
           params.provider = 'Netris'
         }
         params.networkmode = values.networkmode
+        params.conservemode = values.conservemode
         if (!values.forVpc) {
           params.specifyasnumber = values.specifyasnumber
         }
@@ -733,35 +743,7 @@ export default {
             params['serviceProviderList[' + k + '].service'] = supportedServices[k]
             params['serviceProviderList[' + k + '].provider'] = this.selectedServiceProviderMap[supportedServices[k]]
           }
-          var serviceCapabilityIndex = 0
-          if (supportedServices.includes('Connectivity')) {
-            if (values.regionlevelvpc === true) {
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].service'] = 'Connectivity'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilitytype'] = 'RegionLevelVpc'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-              serviceCapabilityIndex++
-            }
-            if (values.distributedrouter === true) {
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].service'] = 'Connectivity'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilitytype'] = 'DistributedRouter'
-              params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-              serviceCapabilityIndex++
-            }
-          }
-          if (supportedServices.includes('SourceNat') && values.redundantrouter === true) {
-            params['serviceCapabilityList[' + serviceCapabilityIndex + '].service'] = 'SourceNat'
-            params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilitytype'] = 'RedundantRouter'
-            params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-            serviceCapabilityIndex++
-          } else if (values.redundantrouter === true) {
-            params['serviceCapabilityList[' + serviceCapabilityIndex + '].service'] = 'Gateway'
-            params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilitytype'] = 'RedundantRouter'
-            params['serviceCapabilityList[' + serviceCapabilityIndex + '].capabilityvalue'] = true
-            serviceCapabilityIndex++
-          }
-          if (values.serviceofferingid && this.isVpcVirtualRouterForAtLeastOneService) {
-            params.serviceofferingid = values.serviceofferingid
-          }
+          buildVpcServiceCapabilityParams(params, values, this.selectedServiceProviderMap, this.isVpcVirtualRouterForAtLeastOneService)
         } else {
           params.supportedservices = []
         }
diff --git a/ui/src/views/offering/CloneBackupOffering.vue b/ui/src/views/offering/CloneBackupOffering.vue
new file mode 100644
index 00000000000..c489286ce6c
--- /dev/null
+++ b/ui/src/views/offering/CloneBackupOffering.vue
@@ -0,0 +1,432 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <div class="form-layout" v-ctrl-enter="handleSubmit">
+    <a-spin :spinning="loading">
+      <a-alert
+        v-if="resource"
+        type="info"
+        style="margin-bottom: 16px">
+        <template #message>
+          <div style="display: block; width: 100%;">
+            <div style="display: block; margin-bottom: 8px;">
+              <strong>{{ $t('message.clone.offering.from') }}: {{ resource.name }}</strong>
+            </div>
+            <div style="display: block; font-size: 12px;">
+              {{ $t('message.clone.offering.edit.hint') }}
+            </div>
+          </div>
+        </template>
+      </a-alert>
+      <a-form
+        layout="vertical"
+        :ref="formRef"
+        :model="form"
+        :rules="rules"
+        @finish="handleSubmit"
+       >
+        <a-form-item name="name" ref="name">
+          <template #label>
+            <tooltip-label :title="$t('label.name')" :tooltip="apiParams.name.description"/>
+          </template>
+          <a-input
+            v-focus="true"
+            v-model:value="form.name"/>
+        </a-form-item>
+        <a-form-item name="description" ref="description">
+          <template #label>
+            <tooltip-label :title="$t('label.description')" :tooltip="apiParams.description.description"/>
+          </template>
+          <a-input v-model:value="form.description"/>
+        </a-form-item>
+        <a-form-item name="zoneid" ref="zoneid">
+          <template #label>
+            <tooltip-label :title="$t('label.zoneid')" :tooltip="apiParams.zoneid ? apiParams.zoneid.description : ''"/>
+          </template>
+          <a-select
+            allowClear
+            v-model:value="form.zoneid"
+            :loading="zones.loading"
+            @change="onChangeZone"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }" >
+            <a-select-option v-for="zone in zones.opts" :key="zone.name" :label="zone.name">
+              <span>
+                <resource-icon v-if="zone.icon" :image="zone.icon.base64image" size="1x" style="margin-right: 5px"/>
+                <global-outlined v-else style="margin-right: 5px"/>
+                {{ zone.name }}
+              </span>
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="externalid" ref="externalid">
+          <template #label>
+            <tooltip-label :title="$t('label.externalid')" :tooltip="apiParams.externalid ? apiParams.externalid.description : ''"/>
+          </template>
+          <a-select
+            allowClear
+            v-model:value="form.externalid"
+            :loading="externals.loading"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }" >
+            <a-select-option v-for="opt in externals.opts" :key="opt.id" :label="opt.name">
+              {{ opt.name }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="allowuserdrivenbackups" ref="allowuserdrivenbackups">
+          <template #label>
+            <tooltip-label :title="$t('label.allowuserdrivenbackups')" :tooltip="apiParams.allowuserdrivenbackups ? apiParams.allowuserdrivenbackups.description : ''"/>
+          </template>
+          <a-switch v-model:checked="form.allowuserdrivenbackups"/>
+        </a-form-item>
+        <a-form-item name="ispublic" ref="ispublic" :label="$t('label.ispublic')" v-if="isAdmin()">
+          <a-switch v-model:checked="form.ispublic" @change="onChangeIsPublic" />
+        </a-form-item>
+        <a-form-item name="domainid" ref="domainid" v-if="!form.ispublic">
+          <template #label>
+            <tooltip-label :title="$t('label.domainid')" :tooltip="apiParams.domainid.description"/>
+          </template>
+          <a-select
+            mode="multiple"
+            :getPopupContainer="(trigger) => trigger.parentNode"
+            v-model:value="form.domainid"
+            @change="onChangeDomain"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :loading="domains.loading"
+            :placeholder="apiParams.domainid.description">
+            <a-select-option v-for="(opt, optIndex) in domains.opts" :key="optIndex" :label="opt.path || opt.name || opt.description">
+              <span>
+                <resource-icon v-if="opt && opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
+                <block-outlined v-else style="margin-right: 5px" />
+                {{ opt.path || opt.name || opt.description }}
+              </span>
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <div :span="24" class="action-button">
+          <a-button :loading="loading" @click="closeAction">{{ $t('label.cancel') }}</a-button>
+          <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+        </div>
+      </a-form>
+    </a-spin>
+  </div>
+</template>
+
+<script>
+import { ref, reactive, toRaw } from 'vue'
+import { getAPI, postAPI } from '@/api'
+import ResourceIcon from '@/components/view/ResourceIcon'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
+import { GlobalOutlined } from '@ant-design/icons-vue'
+import { isAdmin } from '@/role'
+
+export default {
+  name: 'CloneBackupOffering',
+  components: {
+    TooltipLabel,
+    ResourceIcon,
+    GlobalOutlined
+  },
+  props: {
+    resource: {
+      type: Object,
+      required: true
+    }
+  },
+  data () {
+    return {
+      loading: false,
+      zones: {
+        loading: false,
+        opts: []
+      },
+      externals: {
+        loading: false,
+        opts: []
+      },
+      domains: {
+        loading: false,
+        opts: []
+      }
+    }
+  },
+  beforeCreate () {
+    this.apiParams = this.$getApiParams('cloneBackupOffering')
+  },
+  created () {
+    this.initForm()
+    this.fetchData()
+  },
+  methods: {
+    initForm () {
+      this.formRef = ref()
+      this.form = reactive({
+        allowuserdrivenbackups: true
+      })
+      this.rules = reactive({
+        name: [{ required: true, message: this.$t('message.error.required.input') }],
+        description: [{ required: true, message: this.$t('message.error.required.input') }]
+      })
+    },
+    fetchData () {
+      this.fetchZone()
+      this.fetchDomain()
+      this.$nextTick(() => {
+        this.populateFormFromResource()
+      })
+    },
+    fetchZone () {
+      this.zones.loading = true
+      getAPI('listZones', { available: true, showicon: true }).then(json => {
+        this.zones.opts = json.listzonesresponse.zone || []
+        this.$nextTick(() => {
+          this.populateFormFromResource()
+        })
+      }).catch(error => {
+        this.$notifyError(error)
+      }).finally(() => {
+        this.zones.loading = false
+      })
+    },
+    fetchDomain () {
+      this.domains.loading = true
+      const params = { listAll: true, showicon: true, details: 'min' }
+      getAPI('listDomains', params).then(json => {
+        this.domains.opts = json.listdomainsresponse.domain || []
+        this.$nextTick(() => {
+          this.populateFormFromResource()
+        })
+      }).catch(error => {
+        this.$notifyError(error)
+      }).finally(() => {
+        this.domains.loading = false
+      })
+    },
+    fetchExternal (zoneId) {
+      if (!zoneId) {
+        this.externals.opts = []
+        return
+      }
+      this.externals.loading = true
+      getAPI('listBackupProviderOfferings', { zoneid: zoneId }).then(json => {
+        this.externals.opts = json.listbackupproviderofferingsresponse.backupoffering || []
+      }).catch(error => {
+        this.$notifyError(error)
+      }).finally(() => {
+        this.externals.loading = false
+      })
+    },
+    populateFormFromResource () {
+      if (!this.resource) return
+
+      const r = this.resource
+
+      this.form.name = r.name + ' - Clone'
+      this.form.description = r.description || r.name
+
+      if (r.allowuserdrivenbackups !== undefined) {
+        this.form.allowuserdrivenbackups = r.allowuserdrivenbackups
+      }
+
+      if (r.domainid) {
+        let offeringDomainIds = r.domainid
+        offeringDomainIds = (typeof offeringDomainIds === 'string' && offeringDomainIds.indexOf(',') !== -1) ? offeringDomainIds.split(',') : [offeringDomainIds]
+        const selected = []
+        for (let i = 0; i < offeringDomainIds.length; i++) {
+          for (let j = 0; j < this.domains.opts.length; j++) {
+            if (String(offeringDomainIds[i]) === String(this.domains.opts[j].id)) {
+              selected.push(j)
+            }
+          }
+        }
+        if (selected.length > 0) {
+          this.form.ispublic = false
+          this.form.domainid = selected
+        }
+      } else {
+        if (isAdmin()) {
+          this.form.ispublic = true
+        }
+      }
+
+      if (r.zoneid && this.zones.opts.length > 0) {
+        const zone = this.zones.opts.find(z => z.id === r.zoneid)
+        if (zone) {
+          this.form.zoneid = zone.name
+          this.fetchExternal(zone.id)
+        }
+      }
+
+      if (r.externalid) {
+        this.$nextTick(() => {
+          this.form.externalid = r.externalid
+        })
+      }
+    },
+    handleSubmit (e) {
+      if (e) {
+        e.preventDefault()
+      }
+      if (this.loading) return
+
+      this.formRef.value.validate().then(() => {
+        const values = toRaw(this.form)
+        const params = {
+          sourceofferingid: this.resource.id
+        }
+
+        if (values.name) {
+          params.name = values.name
+        }
+
+        if (values.description) {
+          params.description = values.description
+        }
+
+        if (values.zoneid) {
+          const zone = this.zones.opts.find(z => z.name === values.zoneid)
+          if (zone) {
+            params.zoneid = zone.id
+          }
+        }
+
+        if (values.externalid) {
+          params.externalid = values.externalid
+        }
+
+        if (values.allowuserdrivenbackups !== undefined) {
+          params.allowuserdrivenbackups = values.allowuserdrivenbackups
+        }
+
+        // Include selected domain IDs when offering is not public
+        if (values.ispublic !== true) {
+          const domainIndexes = values.domainid
+          let domainId = null
+          if (domainIndexes && domainIndexes.length > 0) {
+            const domainIds = []
+            const domains = this.domains.opts
+            for (let i = 0; i < domainIndexes.length; i++) {
+              domainIds.push(domains[domainIndexes[i]].id)
+            }
+            domainId = domainIds.join(',')
+          }
+          if (domainId) {
+            params.domainid = domainId
+          }
+        }
+
+        this.loading = true
+        const title = this.$t('message.success.clone.backup.offering')
+
+        postAPI('cloneBackupOffering', params).then(json => {
+          const jobId = json.clonebackupofferingresponse?.jobid
+          if (jobId) {
+            this.$pollJob({
+              jobId,
+              title,
+              description: values.name,
+              successMethod: result => {
+                this.$message.success(`${title}: ${values.name}`)
+                this.$emit('refresh-data')
+                this.closeAction()
+              },
+              loadingMessage: `${title} ${this.$t('label.in.progress')} ${this.$t('label.for')} ${params.name}`,
+              catchMessage: this.$t('error.fetching.async.job.result'),
+              catchMethod: () => {
+                this.closeAction()
+              }
+            })
+          } else {
+            this.$message.success(`${title}: ${values.name}`)
+            this.$emit('refresh-data')
+            this.closeAction()
+          }
+        }).catch(error => {
+          this.$notifyError(error)
+        }).finally(() => {
+          this.loading = false
+        })
+      }).catch(error => {
+        this.formRef.value.scrollToField(error.errorFields[0].name)
+      })
+    },
+    onChangeZone (value) {
+      if (!value) {
+        this.externals.opts = []
+        this.form.externalid = null
+        return
+      }
+      const zone = this.zones.opts.find(z => z.name === value)
+      if (zone) {
+        this.fetchExternal(zone.id)
+      }
+    },
+    onChangeIsPublic (value) {
+      // when made public, clear any domain selection
+      try {
+        if (value === true) {
+          this.form.domainid = []
+        }
+      } catch (e) {
+        // ignore
+      }
+    },
+    onChangeDomain (value) {
+      // value is an array of selected indexes (as used in the form), when empty -> make offering public
+      try {
+        if (!value || (Array.isArray(value) && value.length === 0)) {
+          this.form.ispublic = true
+          // clear domain selection to avoid confusing hidden inputs
+          this.form.domainid = []
+        } else {
+          this.form.ispublic = false
+        }
+      } catch (e) {
+        // defensive - do nothing on error
+      }
+    },
+    closeAction () {
+      this.$emit('close-action')
+    },
+    isAdmin () {
+      return isAdmin()
+    }
+  }
+}
+</script>
+
+<style scoped lang="less">
+.form-layout {
+  width: 30vw;
+
+  @media (min-width: 500px) {
+    width: 450px;
+  }
+}
+</style>
diff --git a/ui/src/views/offering/CloneComputeOffering.vue b/ui/src/views/offering/CloneComputeOffering.vue
new file mode 100644
index 00000000000..07ce8852add
--- /dev/null
+++ b/ui/src/views/offering/CloneComputeOffering.vue
@@ -0,0 +1,674 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <div class="form-layout" v-ctrl-enter="handleSubmit">
+    <a-spin :spinning="loading">
+      <a-alert
+         v-if="resource"
+         type="info"
+         style="margin-bottom: 16px">
+        <template #message>
+          <div style="display: block; width: 100%;">
+            <div style="display: block; margin-bottom: 8px;">
+              <strong>{{ $t('message.clone.offering.from') }}: {{ resource.name }}</strong>
+            </div>
+            <div style="display: block; font-size: 12px;">
+              {{ $t('message.clone.offering.edit.hint') }}
+            </div>
+          </div>
+        </template>
+      </a-alert>
+      <ComputeOfferingForm
+        :initialValues="form"
+        :rules="rules"
+        :apiParams="apiParams"
+        :isSystem="isSystem"
+        :isAdmin="isAdmin"
+        :ref="formRef"
+        @submit="handleSubmit">
+
+        <!-- form content is provided by ComputeOfferingForm component -->
+        <template #form-actions>
+          <br/>
+          <div :span="24" class="action-button">
+            <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
+            <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+          </div>
+        </template>
+      </ComputeOfferingForm>
+     </a-spin>
+   </div>
+ </template>
+
+<script>
+import ComputeOfferingForm from '@/components/offering/ComputeOfferingForm'
+import { ref, reactive } from 'vue'
+import { getAPI, postAPI } from '@/api'
+import AddDiskOffering from '@/views/offering/AddDiskOffering'
+import { isAdmin } from '@/role'
+import { mixinForm } from '@/utils/mixin'
+import ResourceIcon from '@/components/view/ResourceIcon'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
+import DetailsInput from '@/components/widgets/DetailsInput'
+import store from '@/store'
+
+export default {
+  name: 'CloneComputeOffering',
+  mixins: [mixinForm],
+  components: {
+    ComputeOfferingForm,
+    AddDiskOffering,
+    ResourceIcon,
+    TooltipLabel,
+    DetailsInput
+  },
+  props: {
+    resource: {
+      type: Object,
+      required: true
+    }
+  },
+  data () {
+    return {
+      isSystem: false,
+      naturalNumberRule: {
+        type: 'number',
+        validator: this.validateNumber
+      },
+      wholeNumberRule: {
+        type: 'number',
+        validator: async (rule, value) => {
+          if (value && (isNaN(value) || value < 0)) {
+            return Promise.reject(this.$t('message.error.number'))
+          }
+          return Promise.resolve()
+        }
+      },
+      storageType: 'shared',
+      provisioningType: 'thin',
+      cacheMode: 'none',
+      offeringType: 'fixed',
+      isCustomizedDiskIops: false,
+      isPublic: true,
+      domains: [],
+      domainLoading: false,
+      zones: [],
+      zoneLoading: false,
+      selectedDeploymentPlanner: null,
+      storagePolicies: null,
+      storageTags: [],
+      storageTagLoading: false,
+      deploymentPlanners: [],
+      deploymentPlannerLoading: false,
+      plannerModeVisible: false,
+      plannerMode: '',
+      selectedGpuCard: '',
+      showDiskOfferingModal: false,
+      gpuCardLoading: false,
+      gpuCards: [],
+      loading: false,
+      dynamicscalingenabled: true,
+      diskofferingstrictness: false,
+      encryptdisk: false,
+      computeonly: true,
+      diskOfferingLoading: false,
+      diskOfferings: [],
+      selectedDiskOfferingId: '',
+      qosType: '',
+      isDomainAdminAllowedToInformTags: false,
+      isLeaseFeatureEnabled: this.$store.getters.features.instanceleaseenabled,
+      showLeaseOptions: false,
+      expiryActions: ['STOP', 'DESTROY'],
+      defaultLeaseDuration: 90,
+      defaultLeaseExpiryAction: 'STOP',
+      leaseduration: undefined,
+      leaseexpiryaction: undefined,
+      vgpuProfiles: [],
+      vgpuProfileLoading: false,
+      externalDetailsEnabled: false
+    }
+  },
+  beforeCreate () {
+    this.apiParams = this.$getApiParams('cloneServiceOffering')
+  },
+  created () {
+    this.zones = [
+      {
+        id: null,
+        name: this.$t('label.all.zone')
+      }
+    ]
+    if (this.$route.meta.name === 'systemoffering') {
+      this.isSystem = true
+    }
+    this.initForm()
+    this.fetchData()
+    this.isPublic = isAdmin()
+    this.form.ispublic = this.isPublic
+  },
+  methods: {
+    initForm () {
+      this.formRef = ref()
+      this.form = reactive({
+        systemvmtype: 'domainrouter',
+        offeringtype: this.offeringType,
+        ispublic: this.isPublic,
+        dynamicscalingenabled: true,
+        plannermode: this.plannerMode,
+        gpucardid: this.selectedGpuCard,
+        vgpuprofile: '',
+        gpucount: '1',
+        gpudisplay: false,
+        computeonly: this.computeonly,
+        storagetype: this.storageType,
+        provisioningtype: this.provisioningType,
+        cachemode: this.cacheMode,
+        qostype: this.qosType,
+        iscustomizeddiskiops: this.isCustomizedDiskIops,
+        diskofferingid: this.selectedDiskOfferingId,
+        diskofferingstrictness: this.diskofferingstrictness,
+        encryptdisk: this.encryptdisk,
+        leaseduration: this.leaseduration,
+        leaseexpiryaction: this.leaseexpiryaction
+      })
+      this.rules = reactive({
+        name: [{ required: true, message: this.$t('message.error.required.input') }],
+        cpunumber: [
+          { required: true, message: this.$t('message.error.required.input') },
+          this.naturalNumberRule
+        ],
+        cpuspeed: [
+          { required: true, message: this.$t('message.error.required.input') },
+          this.wholeNumberRule
+        ],
+        mincpunumber: [
+          { required: true, message: this.$t('message.error.required.input') },
+          this.naturalNumberRule
+        ],
+        maxcpunumber: [
+          { required: true, message: this.$t('message.error.required.input') },
+          this.naturalNumberRule
+        ],
+        memory: [
+          { required: true, message: this.$t('message.error.required.input') },
+          this.naturalNumberRule
+        ],
+        minmemory: [
+          { required: true, message: this.$t('message.error.required.input') },
+          this.naturalNumberRule
+        ],
+        maxmemory: [
+          { required: true, message: this.$t('message.error.required.input') },
+          this.naturalNumberRule
+        ],
+        networkrate: [this.naturalNumberRule],
+        rootdisksize: [this.naturalNumberRule],
+        diskbytesreadrate: [this.naturalNumberRule],
+        diskbyteswriterate: [this.naturalNumberRule],
+        diskiopsreadrate: [this.naturalNumberRule],
+        diskiopswriterate: [this.naturalNumberRule],
+        diskiopsmin: [this.naturalNumberRule],
+        diskiopsmax: [this.naturalNumberRule],
+        hypervisorsnapshotreserve: [this.naturalNumberRule],
+        domainid: [{ type: 'array', required: true, message: this.$t('message.error.select') }],
+        diskofferingid: [{ required: true, message: this.$t('message.error.select') }],
+        gpucount: [{
+          type: 'number',
+          validator: async (rule, value) => {
+            if (value && (isNaN(value) || value < 1)) {
+              return Promise.reject(this.$t('message.error.number.minimum.one'))
+            }
+            return Promise.resolve()
+          }
+        }],
+        zoneid: [{
+          type: 'array',
+          validator: async (rule, value) => {
+            if (value && value.length > 1 && value.indexOf(0) !== -1) {
+              return Promise.reject(this.$t('message.error.zone.combined'))
+            }
+            return Promise.resolve()
+          }
+        }],
+        leaseduration: [this.naturalNumberRule]
+      })
+    },
+    fetchData () {
+      this.fetchDomainData()
+      this.fetchZoneData()
+      this.fetchGPUCards()
+      if (isAdmin()) {
+        this.fetchStorageTagData()
+        this.fetchDeploymentPlannerData()
+      } else if (this.isDomainAdmin()) {
+        this.checkIfDomainAdminIsAllowedToInformTag()
+        if (this.isDomainAdminAllowedToInformTags) {
+          this.fetchStorageTagData()
+        }
+      }
+      this.fetchDiskOfferings()
+      this.populateFormFromResource()
+    },
+    populateFormFromResource () {
+      if (!this.resource) return
+
+      // Pre-fill form with source offering values
+      const r = this.resource
+      this.form.name = r.name + ' - Clone'
+      this.form.displaytext = r.displaytext
+
+      if (r.iscustomized) {
+        if (r.cpunumber || r.cpuspeed || r.memory) {
+          this.offeringType = 'customconstrained'
+          this.form.offeringtype = 'customconstrained'
+        } else {
+          this.offeringType = 'customunconstrained'
+          this.form.offeringtype = 'customunconstrained'
+        }
+      } else {
+        this.offeringType = 'fixed'
+        this.form.offeringtype = 'fixed'
+      }
+
+      if (r.cpunumber) this.form.cpunumber = r.cpunumber
+      if (r.cpuspeed) this.form.cpuspeed = r.cpuspeed
+      if (r.memory) this.form.memory = r.memory
+
+      if (r.mincpunumber) this.form.mincpunumber = r.mincpunumber
+      if (r.maxcpunumber) this.form.maxcpunumber = r.maxcpunumber
+      if (r.minmemory) this.form.minmemory = r.minmemory
+      if (r.maxmemory) this.form.maxmemory = r.maxmemory
+
+      if (r.hosttags) this.form.hosttags = r.hosttags
+      if (r.networkrate) this.form.networkrate = r.networkrate
+      if (r.offerha !== undefined) this.form.offerha = r.offerha
+      if (r.dynamicscalingenabled !== undefined) {
+        this.form.dynamicscalingenabled = r.dynamicscalingenabled
+        this.dynamicscalingenabled = r.dynamicscalingenabled
+      }
+      if (r.limitcpuuse !== undefined) this.form.limitcpuuse = r.limitcpuuse
+      if (r.isvolatile !== undefined) this.form.isvolatile = r.isvolatile
+
+      if (r.storagetype) {
+        this.storageType = r.storagetype
+        this.form.storagetype = r.storagetype
+      }
+      if (r.provisioningtype) {
+        this.provisioningType = r.provisioningtype
+        this.form.provisioningtype = r.provisioningtype
+      }
+      if (r.cachemode) {
+        this.cacheMode = r.cachemode
+        this.form.cachemode = r.cachemode
+      }
+
+      if (r.diskofferingstrictness !== undefined) {
+        this.form.diskofferingstrictness = r.diskofferingstrictness
+        this.diskofferingstrictness = r.diskofferingstrictness
+      }
+      if (r.encryptroot !== undefined) {
+        this.form.encryptdisk = r.encryptroot
+        this.encryptdisk = r.encryptroot
+      }
+
+      if (r.diskBytesReadRate || r.diskBytesWriteRate || r.diskIopsReadRate || r.diskIopsWriteRate) {
+        this.qosType = 'hypervisor'
+        this.form.qostype = 'hypervisor'
+        if (r.diskBytesReadRate) this.form.diskbytesreadrate = r.diskBytesReadRate
+        if (r.diskBytesWriteRate) this.form.diskbyteswriterate = r.diskBytesWriteRate
+        if (r.diskIopsReadRate) this.form.diskiopsreadrate = r.diskIopsReadRate
+        if (r.diskIopsWriteRate) this.form.diskiopswriterate = r.diskIopsWriteRate
+      } else if (r.miniops || r.maxiops) {
+        this.qosType = 'storage'
+        this.form.qostype = 'storage'
+        if (r.miniops) this.form.diskiopsmin = r.miniops
+        if (r.maxiops) this.form.diskiopsmax = r.maxiops
+        if (r.hypervisorsnapshotreserve) this.form.hypervisorsnapshotreserve = r.hypervisorsnapshotreserve
+      }
+      if (r.iscustomizediops !== undefined) {
+        this.form.iscustomizeddiskiops = r.iscustomizediops
+        this.isCustomizedDiskIops = r.iscustomizediops
+      }
+
+      if (r.rootdisksize) this.form.rootdisksize = r.rootdisksize
+
+      if (r.tags) {
+        this.form.storagetags = r.tags.split(',')
+      }
+
+      if (r.gpucardid) {
+        this.form.gpucardid = r.gpucardid
+        this.selectedGpuCard = r.gpucardid
+        if (r.gpucardid) {
+          this.fetchVgpuProfiles(r.gpucardid)
+        }
+      }
+      if (r.vgpuprofileid) this.form.vgpuprofile = r.vgpuprofileid
+      if (r.gpucount) this.form.gpucount = r.gpucount
+      if (r.gpudisplay !== undefined) this.form.gpudisplay = r.gpudisplay
+
+      if (r.leaseduration) {
+        this.form.leaseduration = r.leaseduration
+        this.showLeaseOptions = true
+      }
+      if (r.leaseexpiryaction) this.form.leaseexpiryaction = r.leaseexpiryaction
+
+      if (r.purgeresources !== undefined) this.form.purgeresources = r.purgeresources
+
+      if (r.vspherestoragepolicy) this.form.storagepolicy = r.vspherestoragepolicy
+
+      if (r.systemvmtype) this.form.systemvmtype = r.systemvmtype
+
+      if (r.deploymentplanner) {
+        this.form.deploymentplanner = r.deploymentplanner
+        this.handleDeploymentPlannerChange(r.deploymentplanner)
+      }
+
+      if (r.serviceofferingdetails && Object.keys(r.serviceofferingdetails).length > 0) {
+        this.externalDetailsEnabled = true
+        this.form.externaldetails = r.serviceofferingdetails
+      }
+    },
+    fetchGPUCards () {
+      this.gpuCardLoading = true
+      getAPI('listGpuCards', {
+      }).then(json => {
+        this.gpuCards = json.listgpucardsresponse.gpucard || []
+        this.gpuCards.unshift({
+          id: '',
+          name: this.$t('label.none')
+        })
+      }).finally(() => {
+        this.gpuCardLoading = false
+      })
+    },
+    fetchDiskOfferings () {
+      this.diskOfferingLoading = true
+      getAPI('listDiskOfferings', {
+        listall: true
+      }).then(json => {
+        this.diskOfferings = json.listdiskofferingsresponse.diskoffering || []
+        if (this.selectedDiskOfferingId === '') {
+          this.selectedDiskOfferingId = this.diskOfferings?.[0]?.id || ''
+        }
+      }).finally(() => {
+        this.diskOfferingLoading = false
+      })
+    },
+    isAdmin () {
+      return isAdmin()
+    },
+    isDomainAdmin () {
+      return ['DomainAdmin'].includes(this.$store.getters.userInfo.roletype)
+    },
+    checkIfDomainAdminIsAllowedToInformTag () {
+      const params = { id: store.getters.userInfo.accountid }
+      getAPI('isAccountAllowedToCreateOfferingsWithTags', params).then(json => {
+        this.isDomainAdminAllowedToInformTags = json.isaccountallowedtocreateofferingswithtagsresponse.isallowed.isallowed
+      })
+    },
+    fetchDomainData () {
+      const params = {}
+      params.listAll = true
+      params.showicon = true
+      params.details = 'min'
+      this.domainLoading = true
+      getAPI('listDomains', params).then(json => {
+        const listDomains = json.listdomainsresponse.domain
+        this.domains = this.domains.concat(listDomains)
+      }).finally(() => {
+        this.domainLoading = false
+      })
+    },
+    fetchZoneData () {
+      const params = {}
+      params.showicon = true
+      this.zoneLoading = true
+      getAPI('listZones', params).then(json => {
+        const listZones = json.listzonesresponse.zone
+        if (listZones) {
+          this.zones = this.zones.concat(listZones)
+        }
+      }).finally(() => {
+        this.zoneLoading = false
+      })
+    },
+    fetchStorageTagData () {
+      this.storageTagLoading = true
+      this.storageTags = []
+      getAPI('listStorageTags').then(json => {
+        const tags = json.liststoragetagsresponse.storagetag || []
+        for (const tag of tags) {
+          if (!this.storageTags.includes(tag.name)) {
+            this.storageTags.push(tag.name)
+          }
+        }
+      }).finally(() => {
+        this.storageTagLoading = false
+      })
+    },
+    fetchDeploymentPlannerData () {
+      this.deploymentPlannerLoading = true
+      getAPI('listDeploymentPlanners').then(json => {
+        const planners = json.listdeploymentplannersresponse.deploymentPlanner
+        this.deploymentPlanners = this.deploymentPlanners.concat(planners)
+        this.deploymentPlanners.unshift({ name: '' })
+        this.form.deploymentplanner = this.deploymentPlanners.length > 0 ? this.deploymentPlanners[0].name : ''
+      }).finally(() => {
+        this.deploymentPlannerLoading = false
+      })
+    },
+    handleSubmit (e) {
+      if (e && e.preventDefault) {
+        e.preventDefault()
+      }
+      if (this.loading) return
+
+      this.formRef.value.validate().then((values) => {
+        var params = {
+          issystem: this.isSystem,
+          name: values.name,
+          displaytext: values.displaytext,
+          storagetype: values.storagetype,
+          provisioningtype: values.provisioningtype,
+          cachemode: values.cachemode,
+          customized: values.offeringtype !== 'fixed',
+          offerha: values.offerha === true,
+          limitcpuuse: values.limitcpuuse === true,
+          dynamicscalingenabled: values.dynamicscalingenabled,
+          diskofferingstrictness: values.diskofferingstrictness,
+          encryptroot: values.encryptdisk,
+          purgeresources: values.purgeresources,
+          leaseduration: values.leaseduration,
+          leaseexpiryaction: values.leaseexpiryaction
+        }
+
+        if (values.diskofferingid) {
+          params.diskofferingid = values.diskofferingid
+        }
+
+        if (values.vgpuprofile) {
+          params.vgpuprofileid = values.vgpuprofile
+        }
+        if (values.gpucount && values.gpucount > 0) {
+          params.gpucount = values.gpucount
+        }
+        if (values.gpudisplay !== undefined) {
+          params.gpudisplay = values.gpudisplay
+        }
+
+        if (values.offeringtype === 'fixed') {
+          params.cpunumber = values.cpunumber
+          params.cpuspeed = values.cpuspeed
+          params.memory = values.memory
+        } else {
+          if (values.cpuspeed != null &&
+               values.mincpunumber != null &&
+               values.maxcpunumber != null &&
+               values.minmemory != null &&
+               values.maxmemory != null) {
+            params.cpuspeed = values.cpuspeed
+            params.mincpunumber = values.mincpunumber
+            params.maxcpunumber = values.maxcpunumber
+            params.minmemory = values.minmemory
+            params.maxmemory = values.maxmemory
+          }
+        }
+
+        if (values.networkrate != null && values.networkrate.length > 0) {
+          params.networkrate = values.networkrate
+        }
+        if (values.rootdisksize != null && values.rootdisksize.length > 0) {
+          params.rootdisksize = values.rootdisksize
+        }
+        if (values.qostype === 'storage') {
+          var customIops = values.iscustomizeddiskiops === true
+          params.customizediops = customIops
+          if (!customIops) {
+            if (values.diskiopsmin != null && values.diskiopsmin.length > 0) {
+              params.miniops = values.diskiopsmin
+            }
+            if (values.diskiopsmax != null && values.diskiopsmax.length > 0) {
+              params.maxiops = values.diskiopsmax
+            }
+            if (values.hypervisorsnapshotreserve !== undefined &&
+               values.hypervisorsnapshotreserve != null && values.hypervisorsnapshotreserve.length > 0) {
+              params.hypervisorsnapshotreserve = values.hypervisorsnapshotreserve
+            }
+          }
+        } else if (values.qostype === 'hypervisor') {
+          if (values.diskbytesreadrate != null && values.diskbytesreadrate.length > 0) {
+            params.bytesreadrate = values.diskbytesreadrate
+          }
+          if (values.diskbyteswriterate != null && values.diskbyteswriterate.length > 0) {
+            params.byteswriterate = values.diskbyteswriterate
+          }
+          if (values.diskiopsreadrate != null && values.diskiopsreadrate.length > 0) {
+            params.iopsreadrate = values.diskiopsreadrate
+          }
+          if (values.diskiopswriterate != null && values.diskiopswriterate.length > 0) {
+            params.iopswriterate = values.diskiopswriterate
+          }
+        }
+        if (values.storagetags != null && values.storagetags.length > 0) {
+          var tags = values.storagetags.join(',')
+          params.tags = tags
+        }
+        if (values.hosttags != null && values.hosttags.length > 0) {
+          params.hosttags = values.hosttags
+        }
+        if ('deploymentplanner' in values &&
+           values.deploymentplanner !== undefined &&
+           values.deploymentplanner != null && values.deploymentplanner.length > 0) {
+          params.deploymentplanner = values.deploymentplanner
+        }
+        if ('deploymentplanner' in values &&
+           values.deploymentplanner !== undefined &&
+           values.deploymentplanner === 'ImplicitDedicationPlanner' &&
+           values.plannermode !== undefined &&
+           values.plannermode !== '') {
+          params['serviceofferingdetails[0].key'] = 'ImplicitDedicationMode'
+          params['serviceofferingdetails[0].value'] = values.plannermode
+        }
+        if ('isvolatile' in values && values.isvolatile !== undefined) {
+          params.isvolatile = values.isvolatile === true
+        }
+        if ('systemvmtype' in values && values.systemvmtype !== undefined) {
+          params.systemvmtype = values.systemvmtype
+        }
+
+        if ('leaseduration' in values && values.leaseduration !== undefined) {
+          params.leaseduration = values.leaseduration
+        }
+
+        if ('leaseexpiryaction' in values && values.leaseexpiryaction !== undefined) {
+          params.leaseexpiryaction = values.leaseexpiryaction
+        }
+
+        if (values.ispublic !== true) {
+          var domainIndexes = values.domainid
+          var domainId = null
+          if (domainIndexes && domainIndexes.length > 0) {
+            var domainIds = []
+            for (var i = 0; i < domainIndexes.length; i++) {
+              domainIds = domainIds.concat(this.domains[domainIndexes[i]].id)
+            }
+            domainId = domainIds.join(',')
+          }
+          if (domainId) {
+            params.domainid = domainId
+          }
+        }
+        var zoneIndexes = values.zoneid
+        var zoneId = null
+        if (zoneIndexes && zoneIndexes.length > 0) {
+          var zoneIds = []
+          for (var j = 0; j < zoneIndexes.length; j++) {
+            zoneIds = zoneIds.concat(this.zones[zoneIndexes[j]].id)
+          }
+          zoneId = zoneIds.join(',')
+        }
+        if (zoneId) {
+          params.zoneid = zoneId
+        }
+        if (values.storagepolicy) {
+          params.storagepolicy = values.storagepolicy
+        }
+        if (values.externaldetails) {
+          Object.entries(values.externaldetails).forEach(([key, value]) => {
+            params['externaldetails[0].' + key] = value
+          })
+        }
+
+        params.sourceofferingid = this.resource.id
+        this.loading = true
+        postAPI('cloneServiceOffering', params).then(json => {
+          const message = this.isSystem
+            ? `${this.$t('message.clone.service.offering')}: `
+            : `${this.$t('message.clone.compute.offering')}: `
+          this.$message.success(message + values.name)
+          this.$emit('refresh-data')
+          this.closeAction()
+        }).catch(error => {
+          this.$notifyError(error)
+        }).finally(() => {
+          this.loading = false
+        })
+      })
+    },
+    closeAction () {
+      this.$emit('close-action')
+    },
+    async validateNumber (rule, value) {
+      if (value && (isNaN(value) || value <= 0)) {
+        return Promise.reject(this.$t('message.error.number'))
+      }
+      return Promise.resolve()
+    }
+  }
+}
+</script>
+
+ <style scoped lang="scss">
+  .form-layout {
+    width: 80vw;
+    @media (min-width: 800px) {
+      width: 700px;
+    }
+  }
+</style>
diff --git a/ui/src/views/offering/CloneDiskOffering.vue b/ui/src/views/offering/CloneDiskOffering.vue
new file mode 100644
index 00000000000..3e5ddd6ce84
--- /dev/null
+++ b/ui/src/views/offering/CloneDiskOffering.vue
@@ -0,0 +1,279 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <div class="form-layout" v-ctrl-enter="handleSubmit">
+    <a-spin :spinning="loading">
+      <a-alert
+        v-if="resource"
+        type="info"
+        style="margin-bottom: 16px">
+        <template #message>
+          <div style="display: block; width: 100%;">
+            <div style="display: block; margin-bottom: 8px;">
+              <strong>{{ $t('message.clone.offering.from') }}: {{ resource.name }}</strong>
+            </div>
+            <div style="display: block; font-size: 12px;">
+              {{ $t('message.clone.offering.edit.hint') }}
+            </div>
+          </div>
+        </template>
+      </a-alert>
+      <DiskOfferingForm
+        ref="formRef"
+        :initialValues="form"
+        :apiParams="apiParams"
+        :isAdmin="isAdmin"
+        @submit="handleSubmit">
+        <template #form-actions>
+          <div :span="24" class="action-button">
+            <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
+            <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+          </div>
+        </template>
+      </DiskOfferingForm>
+    </a-spin>
+  </div>
+</template>
+
+<script>
+import DiskOfferingForm from '@/components/offering/DiskOfferingForm'
+import { reactive } from 'vue'
+import { postAPI } from '@/api'
+import { isAdmin } from '@/role'
+
+export default {
+  name: 'CloneDiskOffering',
+  components: {
+    DiskOfferingForm
+  },
+  props: {
+    resource: {
+      type: Object,
+      required: true
+    }
+  },
+  data () {
+    return {
+      formRef: null,
+      form: reactive({}),
+      loading: false
+    }
+  },
+  beforeCreate () {
+    this.apiParams = this.$getApiParams('cloneDiskOffering')
+  },
+  created () {
+    this.populateFormFromResource()
+  },
+  methods: {
+    populateFormFromResource () {
+      if (!this.resource) return
+
+      const r = this.resource
+      this.form.name = r.name + ' - Clone'
+      this.form.displaytext = r.displaytext
+
+      if (r.storagetype) {
+        this.form.storagetype = r.storagetype
+      }
+      if (r.provisioningtype) {
+        this.form.provisioningtype = r.provisioningtype
+      }
+      if (r.customized !== undefined) {
+        this.form.customdisksize = r.customized
+      }
+      if (r.disksize) this.form.disksize = r.disksize
+
+      if (r.cachemode) {
+        this.form.writecachetype = r.cachemode
+      }
+
+      if (r.disksizestrictness !== undefined) {
+        this.form.disksizestrictness = r.disksizestrictness
+      }
+      if (r.encrypt !== undefined) {
+        this.form.encryptdisk = r.encrypt
+      }
+
+      if (r.diskBytesReadRate || r.diskBytesReadRateMax || r.diskBytesWriteRate || r.diskBytesWriteRateMax || r.diskIopsReadRate || r.diskIopsWriteRate) {
+        this.form.qostype = 'hypervisor'
+        if (r.diskBytesReadRate) this.form.diskbytesreadrate = r.diskBytesReadRate
+        if (r.diskBytesReadRateMax) this.form.diskbytesreadratemax = r.diskBytesReadRateMax
+        if (r.diskBytesWriteRate) this.form.diskbyteswriterate = r.diskBytesWriteRate
+        if (r.diskBytesWriteRateMax) this.form.diskbyteswriteratemax = r.diskBytesWriteRateMax
+        if (r.diskIopsReadRate) this.form.diskiopsreadrate = r.diskIopsReadRate
+        if (r.diskIopsWriteRate) this.form.diskiopswriterate = r.diskIopsWriteRate
+      } else if (r.miniops || r.maxiops) {
+        this.form.qostype = 'storage'
+        if (r.miniops) this.form.diskiopsmin = r.miniops
+        if (r.maxiops) this.form.diskiopsmax = r.maxiops
+        if (r.hypervisorsnapshotreserve) this.form.hypervisorsnapshotreserve = r.hypervisorsnapshotreserve
+      }
+      if (r.iscustomizediops !== undefined) {
+        this.form.iscustomizeddiskiops = r.iscustomizediops
+      }
+
+      if (r.tags) {
+        this.form.tags = r.tags.split(',')
+      }
+
+      if (r.vspherestoragepolicy) this.form.storagepolicy = r.vspherestoragepolicy
+    },
+    isAdmin () {
+      return isAdmin()
+    },
+    handleSubmit (e) {
+      if (e && e.preventDefault) {
+        e.preventDefault()
+      }
+      if (this.loading) return
+
+      this.$refs.formRef.validate().then((values) => {
+        const params = {
+          sourceofferingid: this.resource.id,
+          name: values.name
+        }
+
+        if (values.displaytext) {
+          params.displaytext = values.displaytext
+        }
+        if (values.storagetype) {
+          params.storagetype = values.storagetype
+        }
+        if (values.writecachetype) {
+          params.cachemode = values.writecachetype
+        }
+        if (values.provisioningtype) {
+          params.provisioningtype = values.provisioningtype
+        }
+        if (values.customdisksize !== undefined) {
+          params.customized = values.customdisksize
+        }
+        if (values.disksizestrictness !== undefined) {
+          params.disksizestrictness = values.disksizestrictness
+        }
+        if (values.encryptdisk !== undefined) {
+          params.encrypt = values.encryptdisk
+        }
+
+        if (values.customdisksize !== true && values.disksize) {
+          params.disksize = values.disksize
+        }
+
+        if (values.qostype === 'storage') {
+          const customIops = values.iscustomizeddiskiops === true
+          params.customizediops = customIops
+          if (!customIops) {
+            if (values.diskiopsmin != null && values.diskiopsmin.length > 0) {
+              params.miniops = values.diskiopsmin
+            }
+            if (values.diskiopsmax != null && values.diskiopsmax.length > 0) {
+              params.maxiops = values.diskiopsmax
+            }
+            if (values.hypervisorsnapshotreserve != null && values.hypervisorsnapshotreserve.length > 0) {
+              params.hypervisorsnapshotreserve = values.hypervisorsnapshotreserve
+            }
+          }
+        } else if (values.qostype === 'hypervisor') {
+          if (values.diskbytesreadrate != null && values.diskbytesreadrate.length > 0) {
+            params.bytesreadrate = values.diskbytesreadrate
+          }
+          if (values.diskbytesreadratemax != null && values.diskbytesreadratemax.length > 0) {
+            params.bytesreadratemax = values.diskbytesreadratemax
+          }
+          if (values.diskbyteswriterate != null && values.diskbyteswriterate.length > 0) {
+            params.byteswriterate = values.diskbyteswriterate
+          }
+          if (values.diskbyteswriteratemax != null && values.diskbyteswriteratemax.length > 0) {
+            params.byteswriteratemax = values.diskbyteswriteratemax
+          }
+          if (values.diskiopsreadrate != null && values.diskiopsreadrate.length > 0) {
+            params.iopsreadrate = values.diskiopsreadrate
+          }
+          if (values.diskiopswriterate != null && values.diskiopswriterate.length > 0) {
+            params.iopswriterate = values.diskiopswriterate
+          }
+        }
+
+        if (values.tags != null && values.tags.length > 0) {
+          const tags = values.tags.join(',')
+          params.tags = tags
+        }
+
+        if (values.ispublic !== true) {
+          const domainIndexes = values.domainid
+          let domainId = null
+          if (domainIndexes && domainIndexes.length > 0) {
+            const domainIds = []
+            const domains = this.$refs.formRef.domains
+            for (let i = 0; i < domainIndexes.length; i++) {
+              domainIds.push(domains[domainIndexes[i]].id)
+            }
+            domainId = domainIds.join(',')
+          }
+          if (domainId) {
+            params.domainid = domainId
+          }
+        }
+
+        const zoneIndexes = values.zoneid
+        let zoneId = null
+        if (zoneIndexes && zoneIndexes.length > 0) {
+          const zoneIds = []
+          const zones = this.$refs.formRef.zones
+          for (let j = 0; j < zoneIndexes.length; j++) {
+            zoneIds.push(zones[zoneIndexes[j]].id)
+          }
+          zoneId = zoneIds.join(',')
+        }
+        if (zoneId) {
+          params.zoneid = zoneId
+        }
+
+        if (values.storagepolicy) {
+          params.storagepolicy = values.storagepolicy
+        }
+
+        this.loading = true
+        postAPI('cloneDiskOffering', params).then(json => {
+          this.$message.success(`${this.$t('message.success.clone.disk.offering')} ${values.name}`)
+          this.$emit('refresh-data')
+          this.closeAction()
+        }).catch(error => {
+          this.$notifyError(error)
+        }).finally(() => {
+          this.loading = false
+        })
+      })
+    },
+    closeAction () {
+      this.$emit('close-action')
+    }
+  }
+}
+</script>
+
+<style scoped lang="less">
+  .form-layout {
+    width: 80vw;
+
+    @media (min-width: 700px) {
+      width: 550px;
+    }
+  }
+</style>
diff --git a/ui/src/views/offering/CloneNetworkOffering.vue b/ui/src/views/offering/CloneNetworkOffering.vue
new file mode 100644
index 00000000000..0cd5e733b24
--- /dev/null
+++ b/ui/src/views/offering/CloneNetworkOffering.vue
@@ -0,0 +1,1430 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <div class="form-layout" v-ctrl-enter="handleSubmit">
+    <a-spin :spinning="loading">
+      <a-alert
+        v-if="resource"
+        type="info"
+        style="margin-bottom: 16px">
+        <template #message>
+          <div style="display: block; width: 100%;">
+            <div style="display: block; margin-bottom: 8px;">
+              <strong>{{ $t('message.clone.offering.from') }}: {{ resource.name }}</strong>
+            </div>
+            <div style="display: block; font-size: 12px;">
+              {{ $t('message.clone.offering.edit.hint') }}
+            </div>
+          </div>
+        </template>
+      </a-alert>
+      <a-form
+        :ref="formRef"
+        :model="form"
+        :rules="rules"
+        @finish="handleSubmit"
+        layout="vertical"
+      >
+        <a-form-item name="name" ref="name">
+          <template #label>
+            <tooltip-label :title="$t('label.name')" :tooltip="apiParams.name.description"/>
+          </template>
+          <a-input
+            v-focus="true"
+            v-model:value="form.name"
+            :placeholder="apiParams.name.description"/>
+        </a-form-item>
+        <a-form-item name="displaytext" ref="displaytext">
+          <template #label>
+            <tooltip-label :title="$t('label.displaytext')" :tooltip="apiParams.displaytext.description"/>
+          </template>
+          <a-input
+            v-model:value="form.displaytext"
+            :placeholder="apiParams.displaytext.description"/>
+        </a-form-item>
+        <a-form-item name="guestiptype" ref="guestiptype">
+          <template #label>
+            <tooltip-label :title="$t('label.guestiptype')" :tooltip="apiParams.guestiptype.description"/>
+          </template>
+          <a-radio-group
+            v-model:value="form.guestiptype"
+            buttonStyle="solid"
+            @change="selected => { handleGuestTypeChange(selected.target.value) }">
+            <a-radio-button value="isolated">
+              {{ $t('label.isolated') }}
+            </a-radio-button>
+            <a-radio-button value="l2">
+              {{ $t('label.l2') }}
+            </a-radio-button>
+            <a-radio-button value="shared">
+              {{ $t('label.shared') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item name="internetprotocol" ref="internetprotocol" v-if="guestType === 'isolated'">
+          <template #label>
+            <tooltip-label :title="$t('label.internetprotocol')" :tooltip="apiParams.internetprotocol.description"/>
+          </template>
+          <span v-if="!ipv6NetworkOfferingEnabled || internetProtocolValue!=='ipv4'">
+            <a-alert type="warning">
+              <template #message>
+                <span v-html="ipv6NetworkOfferingEnabled ? $t('message.offering.internet.protocol.warning') : $t('message.offering.ipv6.warning')" />
+              </template>
+            </a-alert>
+            <br/>
+          </span>
+          <a-radio-group
+            v-model:value="form.internetprotocol"
+            :disabled="!ipv6NetworkOfferingEnabled"
+            buttonStyle="solid"
+            @change="e => { internetProtocolValue = e.target.value }">
+            <a-radio-button value="ipv4">
+              {{ $t('label.ip.v4') }}
+            </a-radio-button>
+            <a-radio-button value="dualstack">
+              {{ $t('label.ip.v4.v6') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-row :gutter="12">
+          <a-col :md="12" :lg="12">
+            <a-form-item name="forvpc" ref="forvpc" v-if="guestType === 'isolated'">
+              <template #label>
+                <tooltip-label :title="$t('label.vpc')" :tooltip="apiParams.forvpc.description"/>
+              </template>
+              <a-switch v-model:checked="form.forvpc" @change="handleForVpcChange" />
+            </a-form-item>
+          </a-col>
+          <a-col :md="12" :lg="12">
+            <a-form-item name="provider" ref="provider">
+              <template #label>
+                <tooltip-label :title="$t('label.provider')" :tooltip="apiParams.provider.description"/>
+              </template>
+              <a-select
+                v-model:value="form.provider"
+                disabled
+                showSearch
+                optionFilterProp="label"
+                :filterOption="(input, option) => {
+                  return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+                }"
+                :placeholder="apiParams.provider.description">
+                <a-select-option key="" value="">{{ $t('label.none') }}</a-select-option>
+                <a-select-option :value="'NSX'" :label="$t('label.nsx')">{{ $t('label.nsx') }}</a-select-option>
+                <a-select-option :value="'Netris'" :label="$t('label.netris')">{{ $t('label.netris') }}</a-select-option>
+              </a-select>
+            </a-form-item>
+          </a-col>
+        </a-row>
+        <!-- NSX specific toggles (mirror AddNetworkOffering.vue) -->
+        <a-row :gutter="12" v-if="form.provider === 'NSX'">
+          <a-col :md="12" :lg="12">
+            <a-form-item name="nsxsupportlb" ref="nsxsupportlb" v-if="guestType === 'isolated'">
+              <template #label>
+                <tooltip-label :title="$t('label.nsx.supports.lb')" :tooltip="apiParams.nsxsupportlb.description"/>
+              </template>
+              <a-switch v-model:checked="form.nsxsupportlb" @change="val => { handleNsxLbService(val) }" />
+            </a-form-item>
+          </a-col>
+          <a-col :md="12" :lg="12" v-if="form.nsxsupportlb && form.forvpc">
+            <a-form-item name="nsxsupportsinternallb" ref="nsxsupportsinternallb" v-if="guestType === 'isolated'">
+              <template #label>
+                <tooltip-label :title="$t('label.nsx.supports.internal.lb')" :tooltip="apiParams.nsxsupportsinternallb.description"/>
+              </template>
+              <a-switch v-model:checked="form.nsxsupportsinternallb"/>
+            </a-form-item>
+          </a-col>
+        </a-row>
+        <a-form-item name="networkmode" ref="networkmode" v-if="guestType === 'isolated' && form.provider">
+          <template #label>
+            <tooltip-label :title="$t('label.networkmode')" :tooltip="apiParams.networkmode.description"/>
+          </template>
+          <a-select
+            v-model:value="form.networkmode"
+            @change="val => { handleForNetworkModeChange(val) }"
+            :disabled="provider === 'NSX' || provider === 'Netris'"
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :placeholder="apiParams.networkmode.description">
+            <a-select-option value="NATTED" :label="'NATTED'">NATTED</a-select-option>
+            <a-select-option value="ROUTED" :label="'ROUTED'">ROUTED</a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="routingmode" ref="routingmode" v-if="networkmode === 'ROUTED' || internetProtocolValue === 'ipv6' || internetProtocolValue === 'dualstack'">
+          <template #label>
+            <tooltip-label :title="$t('label.routingmode')" :tooltip="apiParams.routingmode.description"/>
+          </template>
+          <a-radio-group
+            v-model:value="form.routingmode"
+            buttonStyle="solid"
+            @change="selected => { routingMode = selected.target.value }">
+            <a-radio-button value="static">
+              {{ $t('label.static') }}
+            </a-radio-button>
+            <a-radio-button value="dynamic">
+              {{ $t('label.dynamic') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item name="userdatal2" ref="userdatal2" :label="$t('label.user.data')" v-if="guestType === 'l2'">
+          <a-switch v-model:checked="form.userdatal2" />
+        </a-form-item>
+        <a-form-item name="networkrate" ref="networkrate">
+          <template #label>
+            <tooltip-label :title="$t('label.networkrate')" :tooltip="apiParams.networkrate.description"/>
+          </template>
+          <a-input
+            v-model:value="form.networkrate"
+            :placeholder="apiParams.networkrate.description"/>
+        </a-form-item>
+        <a-row :gutter="12">
+          <a-col :md="12" :lg="12">
+            <a-form-item name="specifyvlan" ref="specifyvlan">
+              <template #label>
+                <tooltip-label :title="$t('label.specifyvlan')" :tooltip="apiParams.specifyvlan.description"/>
+              </template>
+              <a-switch v-model:checked="form.specifyvlan" />
+            </a-form-item>
+          </a-col>
+          <a-col :md="12" :lg="12">
+            <a-form-item name="ispersistent" ref="ispersistent" v-if="guestType !== 'shared'">
+              <template #label>
+                <tooltip-label :title="$t('label.ispersistent')" :tooltip="apiParams.ispersistent.description"/>
+              </template>
+              <a-switch v-model:checked="form.ispersistent" />
+            </a-form-item>
+          </a-col>
+        </a-row>
+        <a-row :gutter="12">
+          <a-col :md="12" :lg="12">
+            <a-form-item name="promiscuousmode" ref="promiscuousmode">
+              <template #label>
+                <tooltip-label :title="$t('label.promiscuousmode')" :tooltip="$t('message.network.offering.promiscuous.mode')"/>
+              </template>
+              <a-radio-group
+                v-model:value="form.promiscuousmode"
+                buttonStyle="solid">
+                <a-radio-button value="">
+                  {{ $t('label.none') }}
+                </a-radio-button>
+                <a-radio-button value="true">
+                  {{ $t('label.accept') }}
+                </a-radio-button>
+                <a-radio-button value="false">
+                  {{ $t('label.reject') }}
+                </a-radio-button>
+              </a-radio-group>
+            </a-form-item>
+            <a-form-item name="macaddresschanges" ref="macaddresschanges">
+              <template #label>
+                <tooltip-label :title="$t('label.macaddresschanges')" :tooltip="$t('message.network.offering.mac.address.changes')"/>
+              </template>
+              <a-radio-group
+                v-model:value="form.macaddresschanges"
+                buttonStyle="solid">
+                <a-radio-button value="">
+                  {{ $t('label.none') }}
+                </a-radio-button>
+                <a-radio-button value="true">
+                  {{ $t('label.accept') }}
+                </a-radio-button>
+                <a-radio-button value="false">
+                  {{ $t('label.reject') }}
+                </a-radio-button>
+              </a-radio-group>
+            </a-form-item>
+          </a-col>
+          <a-col :md="12" :lg="12">
+            <a-form-item name="forgedtransmits" ref="forgedtransmits">
+              <template #label>
+                <tooltip-label :title="$t('label.forgedtransmits')" :tooltip="$t('message.network.offering.forged.transmits')"/>
+              </template>
+              <a-radio-group
+                v-model:value="form.forgedtransmits"
+                buttonStyle="solid">
+                <a-radio-button value="">
+                  {{ $t('label.none') }}
+                </a-radio-button>
+                <a-radio-button value="true">
+                  {{ $t('label.accept') }}
+                </a-radio-button>
+                <a-radio-button value="false">
+                  {{ $t('label.reject') }}
+                </a-radio-button>
+              </a-radio-group>
+            </a-form-item>
+            <a-form-item name="maclearning" ref="maclearning">
+              <template #label>
+                <tooltip-label :title="$t('label.maclearning')" :tooltip="$t('message.network.offering.mac.learning')"/>
+              </template>
+              <span v-if="form.maclearning !== ''">
+                <a-alert type="warning">
+                  <template #message>
+                    <div v-html="$t('message.network.offering.mac.learning.warning')"></div>
+                  </template>
+                </a-alert>
+                <br/>
+              </span>
+              <a-radio-group
+                v-model:value="form.maclearning"
+                buttonStyle="solid">
+                <a-radio-button value="">
+                  {{ $t('label.none') }}
+                </a-radio-button>
+                <a-radio-button value="true">
+                  {{ $t('label.accept') }}
+                </a-radio-button>
+                <a-radio-button value="false">
+                  {{ $t('label.reject') }}
+                </a-radio-button>
+              </a-radio-group>
+            </a-form-item>
+          </a-col>
+        </a-row>
+        <a-form-item v-if="guestType !== 'l2'">
+          <template #label>
+            <tooltip-label :title="$t('label.supportedservices')" :tooltip="apiParams.supportedservices ? apiParams.supportedservices.description : ''"/>
+          </template>
+          <div class="supported-services-container" scroll-to="last-child">
+            <a-spin v-if="!servicesReady" :spinning="true" />
+            <a-list v-else itemLayout="horizontal" :dataSource="supportedServices">
+              <template #renderItem="{item}">
+                <a-list-item>
+                  <CheckBoxSelectPair
+                    :key="`${item.name}-${item.selectedProvider || 'none'}-${item.defaultChecked}`"
+                    :resourceKey="item.name"
+                    :checkBoxLabel="item.description"
+                    :forExternalNetProvider="form.provider === 'NSX' || form.provider === 'Netris'"
+                    :defaultCheckBoxValue="item.defaultChecked"
+                    :defaultSelectValue="item.selectedProvider"
+                    :selectOptions="item.provider"
+                    @handle-checkselectpair-change="handleSupportedServiceChange"/>
+                </a-list-item>
+              </template>
+            </a-list>
+          </div>
+        </a-form-item>
+        <a-form-item name="lbtype" ref="lbtype" :label="$t('label.lbtype')" v-if="forVpc && lbServiceChecked">
+          <a-radio-group
+            v-model:value="form.lbtype"
+            buttonStyle="solid"
+            @change="e => { handleLbTypeChange(e.target.value) }" >
+            <a-radio-button value="publicLb">
+              {{ $t('label.public.lb') }}
+            </a-radio-button>
+            <a-radio-button value="internalLb">
+              {{ $t('label.internal.lb') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item name="serviceofferingid" ref="serviceofferingid" v-if="guestType !== 'l2' && isVirtualRouterForAtLeastOneService">
+          <template #label>
+            <tooltip-label :title="$t('label.serviceofferingid')" :tooltip="apiParams.serviceofferingid.description"/>
+          </template>
+          <a-select
+            showSearch
+            optionFilterProp="label"
+            v-model:value="form.serviceofferingid"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :loading="serviceOfferingLoading"
+            :placeholder="apiParams.serviceofferingid.description">
+            <a-select-option
+              v-for="(offering, index) in serviceOfferings"
+              :value="offering.id"
+              :label="offering.displaytext || offering.name"
+              :key="index">
+              {{ offering.displaytext || offering.name }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item
+          name="redundantroutercapability"
+          ref="redundantroutercapability"
+          :label="$t('label.redundantrouter')"
+          v-if="(guestType === 'shared' || guestType === 'isolated') && sourceNatServiceChecked && !isVpcVirtualRouterForAtLeastOneService">
+          <a-switch v-model:checked="form.redundantroutercapability" />
+        </a-form-item>
+        <a-form-item name="sourcenattype" ref="sourcenattype" :label="$t('label.sourcenattype')" v-if="(guestType === 'shared' || guestType === 'isolated') && sourceNatServiceChecked">
+          <a-radio-group
+            v-model:value="form.sourcenattype"
+            buttonStyle="solid">
+            <a-radio-button value="peraccount">
+              {{ $t('label.per.account') }}
+            </a-radio-button>
+            <a-radio-button value="perzone">
+              {{ $t('label.per.zone') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item
+          name="vmautoscalingcapability"
+          ref="vmautoscalingcapability"
+          :label="$t('label.supportsvmautoscaling')"
+          v-if="lbServiceChecked && ['Netscaler', 'VirtualRouter', 'VpcVirtualRouter'].includes(lbServiceProvider)">
+          <a-switch v-model:checked="form.vmautoscalingcapability" />
+        </a-form-item>
+        <a-form-item
+          name="elasticlb"
+          ref="elasticlb"
+          :label="$t('label.service.lb.elasticlbcheckbox')"
+          v-if="guestType === 'shared' && lbServiceChecked && lbServiceProvider === 'Netscaler'">
+          <a-switch v-model:checked="form.elasticlb" />
+        </a-form-item>
+        <a-form-item
+          name="inlinemode"
+          ref="inlinemode"
+          :label="$t('label.service.lb.inlinemodedropdown')"
+          v-if="['shared', 'isolated'].includes(guestType) && lbServiceChecked && firewallServiceChecked && ['F5BigIp', 'Netscaler'].includes(lbServiceProvider) && ['JuniperSRX'].includes(firewallServiceProvider)">
+          <a-radio-group
+            v-model:value="form.inlinemode"
+            buttonStyle="solid">
+            <a-radio-button value="false">
+              {{ $t('side.by.side') }}
+            </a-radio-button>
+            <a-radio-button value="true">
+              {{ $t('inline') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item
+          name="netscalerservicepackages"
+          ref="netscalerservicepackages"
+          :label="$t('label.service.lb.netscaler.servicepackages')"
+          v-if="(guestType === 'shared' || guestType === 'isolated') && lbServiceChecked && lbServiceProvider === 'Netscaler'">
+          <a-select
+            v-model:value="form.netscalerservicepackages"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :loading="registeredServicePackageLoading"
+            :placeholder="$t('label.service.lb.netscaler.servicepackages')">
+            <a-select-option v-for="(opt, optIndex) in registeredServicePackages" :key="optIndex" :label="opt.name || opt.description">
+              {{ opt.name || opt.description }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item
+          name="netscalerservicepackagesdescription"
+          ref="netscalerservicepackagesdescription"
+          :label="$t('label.service.lb.netscaler.servicepackages.description')"
+          v-if="(guestType === 'shared' || guestType === 'isolated') && lbServiceChecked && lbServiceProvider === 'Netscaler'">
+          <a-input
+            v-model:value="form.netscalerservicepackagesdescription"
+            :placeholder="$t('label.service.lb.netscaler.servicepackages.description')"/>
+        </a-form-item>
+        <a-form-item
+          name="elasticip"
+          ref="elasticip"
+          :label="$t('label.service.staticnat.elasticipcheckbox')"
+          v-if="guestType === 'shared' && staticNatServiceChecked && staticNatServiceProvider === 'Netscaler'">
+          <a-switch v-model:checked="form.elasticip" />
+        </a-form-item>
+        <a-form-item
+          name="associatepublicip"
+          ref="associatepublicip"
+          :label="$t('label.service.staticnat.associatepublicip')"
+          v-if="isElasticIp && staticNatServiceChecked && staticNatServiceProvider === 'Netscaler'">
+          <a-switch v-model:checked="form.associatepublicip" />
+        </a-form-item>
+        <a-form-item
+          name="supportsstrechedl2subnet"
+          ref="supportsstrechedl2subnet"
+          :label="$t('label.supportsstrechedl2subnet')"
+          v-if="connectivityServiceChecked">
+          <a-switch v-model:checked="form.supportsstrechedl2subnet" />
+        </a-form-item>
+        <a-form-item
+          name="conservemode"
+          ref="conservemode"
+          v-if="guestType === 'shared' || guestType === 'isolated'">
+          <template #label>
+            <tooltip-label :title="$t('label.conservemode')" :tooltip="apiParams.conservemode.description"/>
+          </template>
+          <a-switch v-model:checked="form.conservemode" />
+        </a-form-item>
+        <a-form-item name="tags" ref="tags">
+          <template #label>
+            <tooltip-label :title="$t('label.tags')" :tooltip="apiParams.tags.description"/>
+          </template>
+          <a-input
+            v-model:value="form.tags"
+            :placeholder="apiParams.tags.description"/>
+        </a-form-item>
+        <a-form-item name="availability" ref="availability" v-if="requiredNetworkOfferingExists && guestType === 'isolated' && sourceNatServiceChecked">
+          <template #label>
+            <tooltip-label :title="$t('label.availability')" :tooltip="apiParams.availability.description"/>
+          </template>
+          <a-radio-group
+            v-model:value="form.availability"
+            buttonStyle="solid">
+            <a-radio-button value="Optional">
+              {{ $t('label.optional') }}
+            </a-radio-button>
+            <a-radio-button value="Required">
+              {{ $t('label.required') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item name="egressdefaultpolicy" ref="egressdefaultpolicy">
+          <template #label>
+            <tooltip-label :title="$t('label.egressdefaultpolicy')" :tooltip="apiParams.egressdefaultpolicy.description"/>
+          </template>
+          <a-radio-group
+            v-model:value="form.egressdefaultpolicy"
+            buttonStyle="solid">
+            <a-radio-button value="allow">
+              {{ $t('label.allow') }}
+            </a-radio-button>
+            <a-radio-button value="deny">
+              {{ $t('label.deny') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item name="specifyipranges" ref="specifyipranges">
+          <template #label>
+            <tooltip-label :title="$t('label.specifyipranges')" :tooltip="apiParams.specifyipranges.description"/>
+          </template>
+          <a-switch v-model:checked="form.specifyipranges"/>
+        </a-form-item>
+        <a-form-item name="ispublic" ref="ispublic" :label="$t('label.ispublic')" v-show="isAdmin()">
+          <a-switch v-model:checked="form.ispublic" @change="val => { isPublic = val }" />
+        </a-form-item>
+        <a-form-item name="domainid" ref="domainid" v-if="!isPublic">
+          <template #label>
+            <tooltip-label :title="$t('label.domainid')" :tooltip="apiParams.domainid.description"/>
+          </template>
+          <a-select
+            mode="multiple"
+            v-model:value="form.domainid"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :loading="domainLoading"
+            :placeholder="apiParams.domainid.description">
+            <a-select-option v-for="(opt, optIndex) in domains" :key="optIndex" :label="opt.path || opt.name || opt.description">
+              <span>
+                <resource-icon v-if="opt && opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
+                <block-outlined v-else style="margin-right: 5px" />
+                {{ opt.path || opt.name || opt.description }}
+              </span>
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="zoneid" ref="zoneid">
+          <template #label>
+            <tooltip-label :title="$t('label.zoneid')" :tooltip="apiParams.zoneid.description"/>
+          </template>
+          <a-select
+            mode="multiple"
+            v-model:value="form.zoneid"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :loading="zoneLoading"
+            :placeholder="apiParams.zoneid.description">
+            <a-select-option v-for="(opt, optIndex) in zones" :key="optIndex" :label="opt.name || opt.description">
+              <span>
+                <resource-icon v-if="opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
+                <global-outlined v-else style="margin-right: 5px"/>
+                {{ opt.name || opt.description }}
+              </span>
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="enable" ref="enable" v-if="apiParams.enable">
+          <template #label>
+            <tooltip-label :title="$t('label.enable.network.offering')" :tooltip="apiParams.enable.description"/>
+          </template>
+          <a-switch v-model:checked="form.enable"/>
+        </a-form-item>
+        <div :span="24" class="action-button">
+          <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
+          <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+        </div>
+      </a-form>
+    </a-spin>
+  </div>
+</template>
+
+<script>
+import { ref, reactive, toRaw } from 'vue'
+import { getAPI, postAPI } from '@/api'
+import { isAdmin } from '@/role'
+import { mixinForm } from '@/utils/mixin'
+import ResourceIcon from '@/components/view/ResourceIcon'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
+import CheckBoxSelectPair from '@/components/CheckBoxSelectPair'
+import { BlockOutlined, GlobalOutlined } from '@ant-design/icons-vue'
+import { buildServiceCapabilityParams } from '@/composables/useServiceCapabilityParams'
+
+export default {
+  name: 'CloneNetworkOffering',
+  mixins: [mixinForm],
+  components: {
+    ResourceIcon,
+    TooltipLabel,
+    CheckBoxSelectPair,
+    BlockOutlined,
+    GlobalOutlined
+  },
+  props: {
+    resource: {
+      type: Object,
+      required: true
+    }
+  },
+  data () {
+    return {
+      loading: false,
+      VPCVR: {
+        name: 'VPCVirtualRouter',
+        description: 'VPCVirtualRouter',
+        enabled: true
+      },
+      VR: {
+        name: 'VirtualRouter',
+        description: 'VirtualRouter',
+        enabled: true
+      },
+      NSX: {
+        name: 'Nsx',
+        description: 'Nsx',
+        enabled: true
+      },
+      Netris: {
+        name: 'Netris',
+        description: 'Netris',
+        enabled: true
+      },
+      nsxSupportedServicesMap: {},
+      netrisSupportedServicesMap: {},
+      // supported services backup
+      supportedSvcs: [],
+      guestType: 'isolated',
+      forVpc: false,
+      provider: '',
+      networkmode: '',
+      routingMode: 'static',
+      internetProtocolValue: 'ipv4',
+      networkmodes: [
+        {
+          id: 0,
+          name: 'NATTED'
+        },
+        {
+          id: 1,
+          name: 'ROUTED'
+        }
+      ],
+      supportedServices: [],
+      supportedServiceLoading: false,
+      servicesReady: false,
+      selectedServiceProviderMap: {},
+      serviceProviderMap: {},
+      serviceOfferings: [],
+      serviceOfferingLoading: false,
+      isVirtualRouterForAtLeastOneService: false,
+      isVpcVirtualRouterForAtLeastOneService: false,
+      requiredNetworkOfferingExists: false,
+      sourceNatServiceChecked: false,
+      lbServiceChecked: false,
+      lbServiceProvider: '',
+      firewallServiceChecked: false,
+      firewallServiceProvider: '',
+      staticNatServiceChecked: false,
+      staticNatServiceProvider: '',
+      connectivityServiceChecked: false,
+      isElasticIp: false,
+      registeredServicePackages: [],
+      registeredServicePackageLoading: false,
+      isPublic: true,
+      domains: [],
+      domainLoading: false,
+      zones: [],
+      zoneLoading: false,
+      ipv6NetworkOfferingEnabled: false
+    }
+  },
+  beforeCreate () {
+    this.apiParams = this.$getApiParams('cloneNetworkOffering')
+  },
+  watch: {
+    'form.elasticip' (newVal) {
+      this.isElasticIp = newVal
+    }
+  },
+  async created () {
+    this.zones = [
+      {
+        id: null,
+        name: this.$t('label.all.zone')
+      }
+    ]
+    this.isPublic = isAdmin()
+    this.initForm()
+    await this.checkRequiredNetworkOfferingExists()
+    this.fetchSupportedServices()
+    this.fetchServiceOfferingData()
+    this.fetchDomainData()
+    this.fetchZoneData()
+    this.fetchIpv6NetworkOfferingConfiguration()
+  },
+  methods: {
+    initForm () {
+      this.formRef = ref()
+      this.form = reactive({
+        guestiptype: this.guestType,
+        internetprotocol: 'ipv4',
+        forvpc: false,
+        provider: '',
+        networkmode: '',
+        routingmode: 'static',
+        lbtype: 'publicLb',
+        userdatal2: false,
+        availability: 'Optional',
+        conservemode: true,
+        ispersistent: false,
+        specifyvlan: false,
+        specifyipranges: false,
+        egressdefaultpolicy: 'deny',
+        enable: false,
+        promiscuousmode: '',
+        macaddresschanges: '',
+        forgedtransmits: '',
+        maclearning: '',
+        ispublic: this.isPublic,
+        domainid: [],
+        zoneid: [],
+        redundantroutercapability: false,
+        sourcenattype: 'peraccount',
+        vmautoscalingcapability: true,
+        elasticlb: false,
+        inlinemode: 'false',
+        elasticip: false,
+        associatepublicip: false,
+        supportsstrechedl2subnet: false,
+        isolation: 'dedicated',
+        netscalerservicepackages: null,
+        netscalerservicepackagesdescription: '',
+        nsxsupportlb: true,
+        nsxsupportsinternallb: false
+      })
+      this.rules = reactive({
+        name: [{ required: true, message: this.$t('message.error.required.input') }],
+        networkrate: [{
+          validator: async (rule, value) => {
+            if (value && (isNaN(value) || value < 0)) {
+              return Promise.reject(this.$t('message.validate.number'))
+            }
+            return Promise.resolve()
+          }
+        }],
+        domainid: [{ type: 'array', required: true, message: this.$t('message.error.select') }],
+        zoneid: [{
+          type: 'array',
+          validator: async (rule, value) => {
+            if (value && value.length > 1 && value.indexOf(0) !== -1) {
+              return Promise.reject(this.$t('message.error.zone.combined'))
+            }
+            return Promise.resolve()
+          }
+        }]
+      })
+    },
+    fetchServiceOfferingData () {
+      this.serviceOfferingLoading = true
+      getAPI('listServiceOfferings', { issystem: true, systemvmtype: 'domainrouter' }).then(json => {
+        this.serviceOfferings = json.listserviceofferingsresponse.serviceoffering || []
+      }).finally(() => {
+        this.serviceOfferingLoading = false
+      })
+    },
+    fetchSupportedServices () {
+      this.supportedServiceLoading = true
+      getAPI('listSupportedNetworkServices', {}).then(json => {
+        this.supportedServices = json.listsupportednetworkservicesresponse.networkservice || []
+
+        for (const i in this.supportedServices) {
+          const networkServiceObj = this.supportedServices[i]
+          const serviceName = networkServiceObj.name
+          const serviceDisplayName = serviceName
+
+          const providers = []
+          for (const j in this.supportedServices[i].provider) {
+            const provider = this.supportedServices[i].provider[j]
+            providers.push({
+              name: provider.name,
+              enabled: true
+            })
+          }
+
+          this.supportedServices[i].provider = providers
+          this.supportedServices[i].description = serviceDisplayName
+        }
+
+        this.supportedSvcs = this.supportedServices.slice()
+        this.populateFormFromResource()
+        this.updateSupportedServices()
+      }).finally(() => {
+        this.supportedServiceLoading = false
+      })
+    },
+    handleLbTypeChange (lbType) {
+      this.lbType = lbType
+      // Enable InternalLbVm provider for Lb service if internalLb is selected
+      if (lbType === 'internalLb') {
+        this.supportedServices = this.supportedServices.map(svc => {
+          if (svc.name === 'Lb') {
+            const providers = svc.provider.map(provider => {
+              provider.enabled = provider.name === 'InternalLbVm'
+              this.lbServiceProvider = provider
+              return provider
+            })
+            return { ...svc, provider: providers, defaultChecked: true, selectedProvider: 'InternalLbVm' }
+          }
+          return svc
+        })
+        this.selectedServiceProviderMap.Lb = 'InternalLbVm'
+      } else {
+        // Revert to default providers for Lb service
+        this.supportedServices = this.supportedServices.map(svc => {
+          if (svc.name === 'Lb') {
+            const providers = svc.provider.map(provider => {
+              provider.enabled = provider.name !== 'InternalLbVm'
+              return provider
+            })
+            // Pick the first enabled provider as selected
+            const firstEnabled = providers.find(p => p.enabled)
+            return { ...svc, provider: providers, defaultChecked: !!firstEnabled, selectedProvider: firstEnabled ? firstEnabled.name : null }
+          }
+          return svc
+        })
+        // Update selectedServiceProviderMap for Lb
+        const lbSvc = this.supportedServices.find(svc => svc.name === 'Lb')
+        if (lbSvc && lbSvc.selectedProvider) {
+          this.selectedServiceProviderMap.Lb = lbSvc.selectedProvider
+        } else {
+          delete this.selectedServiceProviderMap.Lb
+        }
+      }
+      this.updateSupportedServices()
+    },
+    populateFormFromResource () {
+      if (!this.resource) return
+
+      const r = this.resource
+      this.form.name = r.name + ' - Clone'
+      this.form.displaytext = r.displaytext || r.name
+
+      if (r.guestiptype) {
+        this.guestType = r.guestiptype.toLowerCase()
+        this.form.guestiptype = r.guestiptype.toLowerCase()
+
+        if (this.guestType === 'l2' && r.service && Array.isArray(r.service)) {
+          this.form.userdatal2 = r.service.some(svc => svc.name === 'UserData')
+        }
+      }
+      if (r.internetprotocol) {
+        this.form.internetprotocol = r.internetprotocol.toLowerCase()
+        this.internetProtocolValue = r.internetprotocol.toLowerCase()
+      }
+      if (r.forvpc !== undefined) {
+        this.forVpc = r.forvpc
+        this.form.forvpc = r.forvpc
+      }
+
+      if (r.service && Array.isArray(r.service)) {
+        // Prefer provider from NetworkACL service if present (for NSX/Netris), else scan other services
+        let detectedProvider = null
+        const networkAclService = r.service.find(svc => svc.name === 'NetworkACL')
+        if (networkAclService && networkAclService.provider && networkAclService.provider.length > 0) {
+          const provName = (networkAclService.provider[0].name || '').toLowerCase()
+          if (provName === 'nsx') detectedProvider = 'NSX'
+          else if (provName === 'netris') detectedProvider = 'Netris'
+        }
+
+        if (!detectedProvider) {
+          // fallback: detect provider (Nsx/Netris) from any service provider in the source offering
+          for (const svc of r.service) {
+            if (svc.provider && Array.isArray(svc.provider) && svc.provider.length > 0) {
+              const provName = (svc.provider[0].name || '').toLowerCase()
+              if (provName === 'nsx') {
+                detectedProvider = 'NSX'
+                break
+              } else if (provName === 'netris') {
+                detectedProvider = 'Netris'
+                break
+              }
+            }
+          }
+        }
+
+        if (detectedProvider) {
+          this.provider = detectedProvider
+          this.form.provider = detectedProvider
+          if (detectedProvider === 'NSX') {
+            this.nsxSupportedServicesMap = {}
+            for (const svc of r.service) {
+              if (svc.provider && svc.provider.length > 0) {
+                const provName = svc.provider[0].name
+                if (provName && provName.toLowerCase() === 'nsx') {
+                  this.nsxSupportedServicesMap[svc.name] = this.NSX
+                } else if (svc.name === 'Dhcp' || svc.name === 'Dns' || svc.name === 'UserData') {
+                  this.nsxSupportedServicesMap[svc.name] = this.forVpc ? this.VPCVR : this.VR
+                }
+              }
+            }
+            if (this.forVpc) {
+              this.nsxSupportedServicesMap.NetworkACL = this.NSX
+            } else {
+              this.nsxSupportedServicesMap.Firewall = this.NSX
+            }
+          }
+        }
+      }
+
+      if (r.networkmode) {
+        this.networkmode = r.networkmode
+        this.form.networkmode = r.networkmode
+      }
+
+      if (r.supportsinternallb) {
+        this.form.lbtype = 'internalLb'
+      }
+
+      if (r.availability) {
+        const isIsolatedWithSourceNat = this.guestType === 'isolated' &&
+                                        r.service &&
+                                        r.service.some(svc => svc.name === 'SourceNat')
+        if (isIsolatedWithSourceNat && this.requiredNetworkOfferingExists) {
+          this.form.availability = 'Optional'
+        } else {
+          this.form.availability = r.availability
+        }
+      }
+      if (r.tags) this.form.tags = r.tags
+      if (r.conservemode !== undefined) this.form.conservemode = r.conservemode
+      if (r.ispersistent !== undefined) this.form.ispersistent = r.ispersistent
+      if (r.specifyvlan !== undefined) this.form.specifyvlan = r.specifyvlan
+      if (r.specifyipranges !== undefined) this.form.specifyipranges = r.specifyipranges
+      if (r.egressdefaultpolicy !== undefined) {
+        this.form.egressdefaultpolicy = r.egressdefaultpolicy ? 'allow' : 'deny'
+      }
+      if (r.networkrate) this.form.networkrate = r.networkrate
+      if (r.serviceofferingid) this.form.serviceofferingid = r.serviceofferingid
+
+      if (r.details) {
+        if (r.details.promiscuousmode) this.form.promiscuousmode = r.details.promiscuousmode
+        if (r.details.macaddresschanges) this.form.macaddresschanges = r.details.macaddresschanges
+        if (r.details.forgedtransmits) this.form.forgedtransmits = r.details.forgedtransmits
+        if (r.details.maclearning) this.form.maclearning = r.details.maclearning
+      }
+
+      this.forVpc = r.forvpc || false
+
+      if (r.service && Array.isArray(r.service)) {
+        const sourceServiceMap = {}
+        r.service.forEach(svc => {
+          if (svc.provider && svc.provider.length > 0) {
+            const providerName = svc.provider[0].name
+            sourceServiceMap[svc.name] = providerName
+          }
+        })
+
+        this.serviceProviderMap = sourceServiceMap
+
+        const updatedServices = this.supportedServices.map(svc => {
+          const serviceCopy = { ...svc, provider: [...svc.provider] }
+
+          if (sourceServiceMap[serviceCopy.name]) {
+            const providerName = sourceServiceMap[serviceCopy.name]
+
+            const providerIndex = serviceCopy.provider.findIndex(p => p.name === providerName)
+
+            if (providerIndex > 0) {
+              const targetProvider = serviceCopy.provider[providerIndex]
+              serviceCopy.provider.splice(providerIndex, 1)
+              serviceCopy.provider.unshift(targetProvider)
+            }
+
+            serviceCopy.defaultChecked = true
+            serviceCopy.selectedProvider = providerName
+            this.selectedServiceProviderMap[serviceCopy.name] = providerName
+          } else {
+            serviceCopy.defaultChecked = false
+            serviceCopy.selectedProvider = null
+          }
+          return serviceCopy
+        })
+
+        this.supportedServices = updatedServices
+        this.supportedSvcs = updatedServices.map(svc => ({ ...svc }))
+
+        this.sourceNatServiceChecked = !!this.selectedServiceProviderMap.SourceNat
+        this.lbServiceChecked = !!this.selectedServiceProviderMap.Lb
+        this.lbServiceProvider = this.selectedServiceProviderMap.Lb || ''
+        this.firewallServiceChecked = !!this.selectedServiceProviderMap.Firewall
+        this.firewallServiceProvider = this.selectedServiceProviderMap.Firewall || ''
+        this.staticNatServiceChecked = !!this.selectedServiceProviderMap.StaticNat
+        this.staticNatServiceProvider = this.selectedServiceProviderMap.StaticNat || ''
+        this.connectivityServiceChecked = !!this.selectedServiceProviderMap.Connectivity
+
+        this.$nextTick(() => {
+          this.servicesReady = true
+          this.$nextTick(() => {
+            this.checkVirtualRouterForServices()
+          })
+        })
+      }
+      if (this.provider === 'NSX') {
+        this.form.nsxsupportlb = Boolean(this.serviceProviderMap.Lb)
+        this.form.nsxsupportsinternallb = Boolean(r.nsxsupportsinternallb)
+        this.handleNsxLbService(this.form.nsxsupportlb)
+      }
+    },
+    updateSupportedServices () {
+      const supportedServices = this.supportedServices || []
+      if (!this.supportedSvcs || this.supportedSvcs.length === 0) {
+        this.supportedSvcs = supportedServices.slice()
+      }
+
+      if (this.provider !== 'NSX' && this.provider !== 'Netris') {
+        const filtered = supportedServices.map(svc => {
+          if (svc.name !== 'Connectivity') {
+            const providers = svc.provider.map(provider => {
+              if (this.forVpc) {
+                const enabledProviders = ['VpcVirtualRouter', 'Netscaler', 'BigSwitchBcf', 'ConfigDrive']
+                if (self.lbType === 'internalLb') {
+                  enabledProviders.push('InternalLbVm')
+                }
+                provider.enabled = enabledProviders.includes(provider.name)
+              } else {
+                provider.enabled = !['InternalLbVm', 'VpcVirtualRouter', 'Nsx', 'Netris'].includes(provider.name)
+              }
+              return provider
+            })
+            return { ...svc, provider: providers }
+          }
+          return svc
+        })
+        this.supportedServices = filtered
+      } else {
+        let svcMap = this.provider === 'NSX' ? this.nsxSupportedServicesMap : this.netrisSupportedServicesMap
+        if (!svcMap || Object.keys(svcMap).length === 0) {
+          svcMap = {}
+          const forVpc = this.forVpc
+          const baseProvider = this.provider === 'NSX' ? this.NSX : this.Netris
+          const vrProvider = forVpc ? this.VPCVR : this.VR
+          svcMap.Dhcp = vrProvider
+          svcMap.Dns = vrProvider
+          svcMap.UserData = vrProvider
+          if (this.networkmode === 'NATTED') {
+            svcMap.SourceNat = baseProvider
+            svcMap.StaticNat = baseProvider
+            svcMap.PortForwarding = baseProvider
+            svcMap.Lb = baseProvider
+          }
+          if (forVpc) {
+            svcMap.NetworkACL = baseProvider
+          } else {
+            svcMap.Firewall = baseProvider
+          }
+        }
+
+        const filtered = this.supportedSvcs.filter(svc => Object.keys(svcMap).includes(svc.name))
+          .map(svc => {
+            const preserveSelected = svc.selectedProvider !== undefined ? { defaultChecked: svc.defaultChecked, selectedProvider: svc.selectedProvider } : {}
+            const mappedProvider = svcMap[svc.name]
+            if (!['Dhcp', 'Dns', 'UserData'].includes(svc.name)) {
+              return { ...svc, provider: [mappedProvider], ...preserveSelected }
+            }
+            return { ...svc, provider: [mappedProvider], ...preserveSelected }
+          })
+        this.supportedServices = filtered
+        const newSelectedMap = {}
+        for (const svc of filtered) {
+          const mappedProvider = svc.provider && svc.provider[0]
+          const providerName = svc.selectedProvider || (mappedProvider && mappedProvider.name) || null
+          if (providerName) {
+            newSelectedMap[svc.name] = providerName
+          }
+        }
+        this.selectedServiceProviderMap = newSelectedMap
+      }
+    },
+    checkVirtualRouterForServices () {
+      this.isVirtualRouterForAtLeastOneService = false
+      this.isVpcVirtualRouterForAtLeastOneService = false
+      for (const service in this.selectedServiceProviderMap) {
+        const provider = this.selectedServiceProviderMap[service]
+        if (provider === 'VirtualRouter') {
+          this.isVirtualRouterForAtLeastOneService = true
+        } else if (provider === 'VpcVirtualRouter') {
+          this.isVirtualRouterForAtLeastOneService = true
+          this.isVpcVirtualRouterForAtLeastOneService = true
+        }
+      }
+    },
+    handleGuestTypeChange (val) {
+      this.guestType = val
+    },
+    handleForVpcChange (val) {
+      this.forVpc = val
+      this.updateSupportedServices()
+    },
+    handleNsxLbService (supportLb) {
+      const forVpc = this.forVpc
+      const baseProvider = this.NSX
+      const vrProvider = forVpc ? this.VPCVR : this.VR
+
+      const map = {
+        Dhcp: vrProvider,
+        Dns: vrProvider,
+        UserData: vrProvider
+      }
+      const wantSourceNat = this.networkmode === 'NATTED' || !!this.serviceProviderMap.SourceNat
+      const wantStaticNat = this.networkmode === 'NATTED' || !!this.serviceProviderMap.StaticNat
+      const wantPortForwarding = this.networkmode === 'NATTED' || !!this.serviceProviderMap.PortForwarding
+      const wantLb = supportLb || !!this.serviceProviderMap.Lb
+
+      if (wantSourceNat) map.SourceNat = baseProvider
+      if (wantStaticNat) map.StaticNat = baseProvider
+      if (wantPortForwarding) map.PortForwarding = baseProvider
+      if (wantLb) map.Lb = baseProvider
+
+      if (forVpc) map.NetworkACL = baseProvider
+      else map.Firewall = baseProvider
+
+      this.nsxSupportedServicesMap = map
+      this.updateSupportedServices()
+    },
+    handleForNetworkModeChange (val) {
+      this.networkmode = val
+
+      const routedExcludedServices = ['SourceNat', 'StaticNat', 'Lb', 'PortForwarding', 'Vpn']
+
+      if (val === 'ROUTED' && this.guestType === 'isolated') {
+        routedExcludedServices.forEach(service => {
+          if (this.selectedServiceProviderMap[service]) {
+            this.handleSupportedServiceChange(service, false, null)
+          }
+        })
+
+        this.supportedServices = this.supportedServices.map(svc => {
+          if (routedExcludedServices.includes(svc.name)) {
+            return {
+              ...svc,
+              defaultChecked: false,
+              selectedProvider: null
+            }
+          }
+          return svc
+        })
+      } else if (val === 'NATTED') {
+        routedExcludedServices.forEach(service => {
+          if (!this.selectedServiceProviderMap[service] && this.serviceProviderMap[service]) {
+            const provider = this.serviceProviderMap[service]
+            this.handleSupportedServiceChange(service, true, provider)
+          }
+        })
+
+        this.supportedServices = this.supportedServices.map(svc => {
+          if (routedExcludedServices.includes(svc.name) && this.serviceProviderMap[svc.name]) {
+            return {
+              ...svc,
+              defaultChecked: true,
+              selectedProvider: this.serviceProviderMap[svc.name]
+            }
+          }
+          return svc
+        })
+      }
+    },
+    isAdmin () {
+      return isAdmin()
+    },
+    fetchDomainData () {
+      const params = {}
+      params.listAll = true
+      params.showicon = true
+      params.details = 'min'
+      this.domainLoading = true
+      getAPI('listDomains', params).then(json => {
+        const listDomains = json.listdomainsresponse.domain
+        this.domains = this.domains.concat(listDomains)
+      }).finally(() => {
+        this.domainLoading = false
+      })
+    },
+    fetchZoneData () {
+      const params = {}
+      params.showicon = true
+      this.zoneLoading = true
+      getAPI('listZones', params).then(json => {
+        const listZones = json.listzonesresponse.zone
+        if (listZones) {
+          this.zones = this.zones.concat(listZones)
+        }
+      }).finally(() => {
+        this.zoneLoading = false
+      })
+    },
+    checkRequiredNetworkOfferingExists () {
+      return getAPI('listNetworkOfferings', {
+        guestiptype: 'Isolated',
+        sourcenatsupported: true,
+        availability: 'Required',
+        state: 'Enabled'
+      }).then(json => {
+        const offerings = json.listnetworkofferingsresponse.networkoffering || []
+        this.requiredNetworkOfferingExists = offerings.length > 0
+        return this.requiredNetworkOfferingExists
+      }).catch(error => {
+        console.error('checkRequiredNetworkOfferingExists: Error checking for required offerings:', error)
+        this.requiredNetworkOfferingExists = false
+        return false
+      })
+    },
+    fetchIpv6NetworkOfferingConfiguration () {
+      this.ipv6NetworkOfferingEnabled = false
+      const params = { name: 'ipv6.offering.enabled' }
+      getAPI('listConfigurations', params).then(json => {
+        const value = json?.listconfigurationsresponse?.configuration?.[0].value || null
+        this.ipv6NetworkOfferingEnabled = value === 'true'
+      })
+    },
+    fetchRegisteredServicePackages () {
+      this.registeredServicePackageLoading = true
+      getAPI('listRegisteredServicePackages', {}).then(json => {
+        this.registeredServicePackages = json.listregisteredservicepackage?.registeredServicePackage || []
+      }).finally(() => {
+        this.registeredServicePackageLoading = false
+      })
+    },
+    handleSupportedServiceChange (service, checked, provider) {
+      if (checked) {
+        const correctProvider = this.serviceProviderMap[service]
+        if (correctProvider && provider !== correctProvider) {
+          this.selectedServiceProviderMap[service] = correctProvider
+        } else {
+          this.selectedServiceProviderMap[service] = provider
+        }
+      } else {
+        delete this.selectedServiceProviderMap[service]
+      }
+
+      if (service === 'SourceNat') {
+        this.sourceNatServiceChecked = checked
+      } else if (service === 'Lb') {
+        this.lbServiceChecked = checked
+        this.lbServiceProvider = checked ? provider : ''
+        if (checked && provider === 'Netscaler') {
+          this.fetchRegisteredServicePackages()
+        }
+      } else if (service === 'Firewall') {
+        this.firewallServiceChecked = checked
+        this.firewallServiceProvider = checked ? provider : ''
+      } else if (service === 'StaticNat') {
+        this.staticNatServiceChecked = checked
+        this.staticNatServiceProvider = checked ? provider : ''
+      } else if (service === 'Connectivity') {
+        this.connectivityServiceChecked = checked
+      }
+
+      this.checkVirtualRouterForServices()
+    },
+    handleSubmit (e) {
+      if (e) {
+        e.preventDefault()
+      }
+      if (this.loading) return
+
+      this.formRef.value.validate().then(() => {
+        const formRaw = toRaw(this.form)
+        const values = this.handleRemoveFields(formRaw)
+
+        const params = {
+          sourceofferingid: this.resource.id,
+          name: values.name
+        }
+
+        if (values.displaytext) {
+          params.displaytext = values.displaytext
+        }
+
+        const forNsx = values.provider === 'NSX'
+        if (forNsx) {
+          params.provider = 'NSX'
+          params.nsxsupportlb = values.nsxsupportlb
+          if ('nsxsupportsinternallb' in values) {
+            params.nsxsupportsinternallb = values.nsxsupportsinternallb
+          }
+        }
+        const forNetris = values.provider === 'Netris'
+        if (forNetris) {
+          params.provider = 'Netris'
+        }
+
+        if (values.guestiptype) {
+          params.guestiptype = values.guestiptype
+        }
+
+        // Use composable for service capability params
+        if (this.selectedServiceProviderMap != null) {
+          buildServiceCapabilityParams(params, values, this.selectedServiceProviderMap, this.registeredServicePackages)
+        } else {
+          if (!('supportedservices' in params)) {
+            params.supportedservices = ''
+          }
+        }
+
+        if (values.guestiptype === 'l2' && values.userdatal2 === true) {
+          params.supportedservices = 'UserData'
+        }
+
+        if (values.availability) {
+          params.availability = values.availability
+        }
+        if (values.tags) {
+          params.tags = values.tags
+        }
+        if (values.specifyvlan !== undefined) {
+          params.specifyvlan = values.specifyvlan
+        }
+        if (values.conservemode !== undefined) {
+          params.conservemode = values.conservemode
+        }
+        if (values.ispersistent !== undefined) {
+          params.ispersistent = values.ispersistent
+        }
+        if (values.specifyipranges !== undefined) {
+          params.specifyipranges = values.specifyipranges
+        }
+        if (values.egressdefaultpolicy !== undefined) {
+          params.egressdefaultpolicy = values.egressdefaultpolicy
+        }
+        if (values.networkrate) {
+          params.networkrate = values.networkrate
+        }
+        if (values.serviceofferingid) {
+          params.serviceofferingid = values.serviceofferingid
+        }
+        if (values.enable !== undefined) {
+          params.enable = values.enable
+        }
+
+        if (values.ispublic !== true) {
+          const domainIndexes = values.domainid
+          let domainId = null
+          if (domainIndexes && domainIndexes.length > 0) {
+            const domainIds = []
+            for (let i = 0; i < domainIndexes.length; i++) {
+              domainIds.push(this.domains[domainIndexes[i]].id)
+            }
+            domainId = domainIds.join(',')
+          }
+          if (domainId) {
+            params.domainid = domainId
+          }
+        }
+        if (values.networkmode) {
+          params.networkmode = values.networkmode
+        }
+
+        const zoneIndexes = values.zoneid
+        let zoneId = null
+        if (zoneIndexes && zoneIndexes.length > 0) {
+          const zoneIds = []
+          for (let j = 0; j < zoneIndexes.length; j++) {
+            zoneIds.push(this.zones[zoneIndexes[j]].id)
+          }
+          zoneId = zoneIds.join(',')
+        }
+        if (zoneId) {
+          params.zoneid = zoneId
+        }
+
+        params.traffictype = this.resource.traffictype || 'GUEST'
+
+        let detailsIndex = 0
+        if (values.promiscuousmode && values.promiscuousmode !== '') {
+          params['details[' + detailsIndex + '].key'] = 'promiscuousmode'
+          params['details[' + detailsIndex + '].value'] = values.promiscuousmode
+          detailsIndex++
+        }
+        if (values.macaddresschanges && values.macaddresschanges !== '') {
+          params['details[' + detailsIndex + '].key'] = 'macaddresschanges'
+          params['details[' + detailsIndex + '].value'] = values.macaddresschanges
+          detailsIndex++
+        }
+        if (values.forgedtransmits && values.forgedtransmits !== '') {
+          params['details[' + detailsIndex + '].key'] = 'forgedtransmits'
+          params['details[' + detailsIndex + '].value'] = values.forgedtransmits
+          detailsIndex++
+        }
+        if (values.maclearning && values.maclearning !== '') {
+          params['details[' + detailsIndex + '].key'] = 'maclearning'
+          params['details[' + detailsIndex + '].value'] = values.maclearning
+          detailsIndex++
+        }
+
+        this.loading = true
+        postAPI('cloneNetworkOffering', params).then(json => {
+          this.$message.success(`${this.$t('message.success.clone.network.offering')} ${values.name}`)
+          this.$emit('refresh-data')
+          this.closeAction()
+        }).catch(error => {
+          this.$notifyError(error)
+        }).finally(() => {
+          this.loading = false
+        })
+      }).catch(error => {
+        this.formRef.value.scrollToField(error.errorFields[0].name)
+      })
+    },
+    closeAction () {
+      this.$emit('close-action')
+    }
+  }
+}
+</script>
+
+<style scoped lang="less">
+  .form-layout {
+    width: 80vw;
+
+    @media (min-width: 700px) {
+      width: 550px;
+    }
+  }
+
+  .supported-services-container {
+    height: 250px;
+    overflow-y: scroll;
+  }
+</style>
diff --git a/ui/src/views/offering/CloneVpcOffering.vue b/ui/src/views/offering/CloneVpcOffering.vue
new file mode 100644
index 00000000000..cecc0c600b5
--- /dev/null
+++ b/ui/src/views/offering/CloneVpcOffering.vue
@@ -0,0 +1,854 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <div class="form-layout" v-ctrl-enter="handleSubmit">
+    <a-spin :spinning="loading">
+      <a-alert
+        v-if="resource"
+        type="info"
+        style="margin-bottom: 16px">
+        <template #message>
+          <div style="display: block; width: 100%;">
+            <div style="display: block; margin-bottom: 8px;">
+              <strong>{{ $t('message.clone.offering.from') }}: {{ resource.name }}</strong>
+            </div>
+            <div style="display: block; font-size: 12px;">
+              {{ $t('message.clone.offering.edit.hint') }}
+            </div>
+          </div>
+        </template>
+      </a-alert>
+      <a-form
+        :ref="formRef"
+        :model="form"
+        :rules="rules"
+        @finish="handleSubmit"
+        layout="vertical"
+       >
+        <a-form-item name="name" ref="name">
+          <template #label>
+            <tooltip-label :title="$t('label.name')" :tooltip="apiParams.name.description"/>
+          </template>
+          <a-input
+            v-focus="true"
+            v-model:value="form.name"
+            :placeholder="apiParams.name.description"/>
+        </a-form-item>
+        <a-form-item name="displaytext" ref="displaytext">
+          <template #label>
+            <tooltip-label :title="$t('label.displaytext')" :tooltip="apiParams.displaytext.description"/>
+          </template>
+          <a-input
+            v-model:value="form.displaytext"
+            :placeholder="apiParams.displaytext.description"/>
+        </a-form-item>
+        <a-form-item name="internetprotocol" ref="internetprotocol">
+          <template #label>
+            <tooltip-label :title="$t('label.internetprotocol')" :tooltip="apiParams.internetprotocol.description"/>
+          </template>
+          <span v-if="!ipv6NetworkOfferingEnabled || internetProtocolValue!=='ipv4'">
+            <a-alert type="warning">
+              <template #message>
+                <span v-html="ipv6NetworkOfferingEnabled ? $t('message.offering.internet.protocol.warning') : $t('message.offering.ipv6.warning')" />
+              </template>
+            </a-alert>
+            <br/>
+          </span>
+          <a-radio-group
+            v-model:value="form.internetprotocol"
+            :disabled="!ipv6NetworkOfferingEnabled"
+            buttonStyle="solid"
+            @change="e => { internetProtocolValue = e.target.value }" >
+            <a-radio-button value="ipv4">
+              {{ $t('label.ip.v4') }}
+            </a-radio-button>
+            <a-radio-button value="dualstack">
+              {{ $t('label.ip.v4.v6') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-row :gutter="12">
+          <a-col :md="12" :lg="12">
+            <a-form-item name="provider" ref="provider">
+              <template #label>
+                <tooltip-label :title="$t('label.provider')" :tooltip="apiParams.provider.description"/>
+              </template>
+              <a-select
+                v-model:value="form.provider"
+                @change="val => handleProviderChange(val)"
+                showSearch
+                disabled
+                optionFilterProp="label"
+                :filterOption="(input, option) => {
+                  return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+                }"
+                :placeholder="apiParams.provider.description" >
+                <a-select-option key="" value="">{{ $t('label.none') }}</a-select-option>
+                <a-select-option :value="'NSX'" :label="$t('label.nsx')"> {{ $t('label.nsx') }} </a-select-option>
+                <a-select-option :value="'Netris'" :label="$t('label.netris')"> {{ $t('label.netris') }} </a-select-option>
+              </a-select>
+            </a-form-item>
+          </a-col>
+          <a-col :md="12" :lg="12" v-if="form.provider === 'NSX'">
+            <a-form-item name="nsxsupportlb" ref="nsxsupportlb">
+              <template #label>
+                <tooltip-label :title="$t('label.nsx.supports.lb')" :tooltip="apiParams.nsxsupportlb.description"/>
+              </template>
+              <a-switch v-model:checked="form.nsxsupportlb" @change="val => { handleNsxLbService(val) }" />
+            </a-form-item>
+          </a-col>
+        </a-row>
+        <a-row :gutter="12" v-if="routingMode === 'dynamic' && form.provider === 'NSX'">
+          <a-col :md="12" :lg="12">
+            <a-form-item name="specifyasnumber" ref="specifyasnumber">
+              <template #label>
+                <tooltip-label :title="$t('label.specifyasnumber')"/>
+              </template>
+              <a-switch v-model:checked="form.specifyasnumber" />
+            </a-form-item>
+          </a-col>
+        </a-row>
+        <a-form-item name="networkmode" ref="networkmode">
+          <template #label>
+            <tooltip-label :title="$t('label.networkmode')" :tooltip="apiParams.networkmode.description"/>
+          </template>
+          <a-select
+            optionFilterProp="label"
+            v-model:value="form.networkmode"
+            :disabled="provider === 'NSX' || provider === 'Netris'"
+            @change="val => { handleForNetworkModeChange(val) }"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :placeholder="apiParams.networkmode.description">
+            <a-select-option v-for="(opt) in networkmodes" :key="opt.name" :label="opt.name">
+              {{ opt.name }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="routingmode" ref="routingmode" v-if="networkmode === 'ROUTED' || internetProtocolValue === 'ipv6' || internetProtocolValue === 'dualstack'">
+          <template #label>
+            <tooltip-label :title="$t('label.routingmode')" :tooltip="apiParams.routingmode.description"/>
+          </template>
+          <a-radio-group
+            v-model:value="form.routingmode"
+            buttonStyle="solid"
+            @change="selected => { routingMode = selected.target.value }">
+            <a-radio-button value="static">
+              {{ $t('label.static') }}
+            </a-radio-button>
+            <a-radio-button value="dynamic">
+              {{ $t('label.dynamic') }}
+            </a-radio-button>
+          </a-radio-group>
+        </a-form-item>
+        <a-form-item>
+          <template #label>
+            <tooltip-label :title="$t('label.supportedservices')" :tooltip="apiParams.supportedservices ? apiParams.supportedservices.description : ''"/>
+          </template>
+          <div class="supported-services-container" scroll-to="last-child">
+            <a-spin v-if="!servicesReady" :spinning="true" />
+            <a-list v-else itemLayout="horizontal" :dataSource="supportedServices">
+              <template #renderItem="{ item }">
+                <a-list-item>
+                  <CheckBoxSelectPair
+                    :key="`${item.name}-${item.selectedProvider || 'none'}`"
+                    :resourceKey="item.name"
+                    :checkBoxLabel="item.description"
+                    :forExternalNetProvider="form.provider === 'NSX' || form.provider === 'Netris'"
+                    :defaultCheckBoxValue="item.defaultChecked"
+                    :defaultSelectValue="item.selectedProvider"
+                    :selectOptions="item.provider"
+                    @handle-checkselectpair-change="handleSupportedServiceChange"/>
+                </a-list-item>
+              </template>
+            </a-list>
+          </div>
+        </a-form-item>
+        <a-form-item name="regionlevelvpc" ref="regionlevelvpc" :label="$t('label.service.connectivity.regionlevelvpccapabilitycheckbox')" v-if="connectivityServiceChecked">
+          <a-switch v-model:checked="form.regionlevelvpc" />
+        </a-form-item>
+        <a-form-item name="distributedrouter" ref="distributedrouter" :label="$t('label.service.connectivity.distributedroutercapabilitycheckbox')" v-if="connectivityServiceChecked">
+          <a-switch v-model:checked="form.distributedrouter" />
+        </a-form-item>
+        <a-form-item name="redundantrouter" ref="redundantrouter" :label="$t('label.redundantrouter')" v-if="sourceNatServiceChecked">
+          <a-switch v-model:checked="form.redundantrouter" />
+        </a-form-item>
+        <a-form-item name="serviceofferingid" ref="serviceofferingid">
+          <a-alert v-if="!isVpcVirtualRouterForAtLeastOneService" type="warning" style="margin-bottom: 10px">
+            <template #message>
+              <span v-html="$t('message.vr.alert.upon.network.offering.creation.others')" />
+            </template>
+          </a-alert>
+          <template #label>
+            <tooltip-label :title="$t('label.serviceofferingid')" :tooltip="apiParams.serviceofferingid.description"/>
+          </template>
+          <a-select
+            showSearch
+            optionFilterProp="label"
+            v-model:value="form.serviceofferingid"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :loading="serviceOfferingLoading"
+            :placeholder="apiParams.serviceofferingid.description">
+            <a-select-option v-for="(opt) in serviceOfferings" :key="opt.id" :label="opt.name || opt.description">
+              {{ opt.name || opt.description }}
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="ispublic" ref="ispublic" :label="$t('label.ispublic')" v-if="isAdmin()">
+          <a-switch v-model:checked="form.ispublic" @change="val => { isPublic = val }" />
+        </a-form-item>
+        <a-form-item name="domainid" ref="domainid" v-if="!isPublic">
+          <template #label>
+            <tooltip-label :title="$t('label.domainid')" :tooltip="apiParams.domainid.description"/>
+          </template>
+          <a-select
+            mode="multiple"
+            v-model:value="form.domainid"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :loading="domainLoading"
+            :placeholder="apiParams.domainid.description">
+            <a-select-option v-for="(opt, optIndex) in domains" :key="optIndex" :label="opt.path || opt.name || opt.description">
+              <span>
+                <resource-icon v-if="opt && opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
+                <block-outlined v-else style="margin-right: 5px" />
+                {{ opt.path || opt.name || opt.description }}
+              </span>
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="zoneid" ref="zoneid">
+          <template #label>
+            <tooltip-label :title="$t('label.zoneid')" :tooltip="apiParams.zoneid.description"/>
+          </template>
+          <a-select
+            id="zone-selection"
+            mode="multiple"
+            v-model:value="form.zoneid"
+            showSearch
+            optionFilterProp="label"
+            :filterOption="(input, option) => {
+              return option.label.toLowerCase().indexOf(input.toLowerCase()) >= 0
+            }"
+            :loading="zoneLoading"
+            :placeholder="apiParams.zoneid.description">
+            <a-select-option v-for="(opt, optIndex) in zones" :key="optIndex" :label="opt.name || opt.description">
+              <span>
+                <resource-icon v-if="opt.icon" :image="opt.icon.base64image" size="1x" style="margin-right: 5px"/>
+                <global-outlined v-else style="margin-right: 5px"/>
+                {{ opt.name || opt.description }}
+              </span>
+            </a-select-option>
+          </a-select>
+        </a-form-item>
+        <a-form-item name="enable" ref="enable" v-if="apiParams.enable">
+          <template #label>
+            <tooltip-label :title="$t('label.enable.vpc.offering')" :tooltip="apiParams.enable.description"/>
+          </template>
+          <a-switch v-model:checked="form.enable" />
+        </a-form-item>
+      </a-form>
+      <div :span="24" class="action-button">
+        <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
+        <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>
+      </div>
+    </a-spin>
+  </div>
+</template>
+
+<script>
+import { ref, reactive, toRaw } from 'vue'
+import { getAPI, postAPI } from '@/api'
+import { isAdmin } from '@/role'
+import { mixinForm } from '@/utils/mixin'
+import CheckBoxSelectPair from '@/components/CheckBoxSelectPair'
+import ResourceIcon from '@/components/view/ResourceIcon'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
+import { BlockOutlined, GlobalOutlined } from '@ant-design/icons-vue'
+import { buildVpcServiceCapabilityParams } from '@/composables/useServiceCapabilityParams'
+
+export default {
+  name: 'CloneVpcOffering',
+  mixins: [mixinForm],
+  components: {
+    CheckBoxSelectPair,
+    ResourceIcon,
+    TooltipLabel,
+    BlockOutlined,
+    GlobalOutlined
+  },
+  props: {
+    resource: {
+      type: Object,
+      required: true
+    }
+  },
+  data () {
+    return {
+      selectedDomains: [],
+      selectedZones: [],
+      isConserveMode: true,
+      internetProtocolValue: 'ipv4',
+      domains: [],
+      domainLoading: false,
+      zones: [],
+      zoneLoading: false,
+      forNsx: false,
+      provider: '',
+      loading: false,
+      supportedServices: [],
+      supportedServiceLoading: false,
+      servicesReady: false,
+      serviceOfferings: [],
+      serviceOfferingLoading: false,
+      isVpcVirtualRouterForAtLeastOneService: false,
+      connectivityServiceChecked: false,
+      sourceNatServiceChecked: false,
+      selectedServiceProviderMap: {},
+      serviceProviderMap: {},
+      ipv6NetworkOfferingEnabled: false,
+      routedNetworkEnabled: false,
+      routingMode: 'static',
+      networkmode: '',
+      networkmodes: [
+        {
+          id: 0,
+          name: 'NATTED'
+        },
+        {
+          id: 1,
+          name: 'ROUTED'
+        }
+      ],
+      isPublic: true,
+      VPCVR: {
+        name: 'VpcVirtualRouter',
+        description: 'VpcVirtualRouter',
+        enabled: true
+      },
+      NSX: {
+        name: 'Nsx',
+        description: 'Nsx',
+        enabled: true
+      },
+      Netris: {
+        name: 'Netris',
+        description: 'Netris',
+        enabled: true
+      }
+    }
+  },
+  beforeCreate () {
+    this.apiParams = this.$getApiParams('cloneVPCOffering')
+  },
+  created () {
+    this.zones = [
+      {
+        id: null,
+        name: this.$t('label.all.zone')
+      }
+    ]
+    this.isPublic = isAdmin()
+    this.initForm()
+    this.fetchData()
+  },
+  methods: {
+    initForm () {
+      this.formRef = ref()
+      this.form = reactive({
+        regionlevelvpc: true,
+        distributedrouter: true,
+        ispublic: this.isPublic,
+        internetprotocol: this.internetProtocolValue,
+        nsxsupportlb: true,
+        routingmode: 'static',
+        domainid: [],
+        zoneid: []
+      })
+      this.rules = reactive({
+        name: [{ required: true, message: this.$t('message.error.name') }],
+        domainid: [{ type: 'array', required: true, message: this.$t('message.error.select') }],
+        zoneid: [{
+          type: 'array',
+          validator: async (rule, value) => {
+            if (value && value.length > 1 && value.indexOf(0) !== -1) {
+              return Promise.reject(this.$t('message.error.zone.combined'))
+            }
+            return Promise.resolve()
+          }
+        }]
+      })
+    },
+    fetchData () {
+      this.fetchDomainData()
+      this.fetchZoneData()
+      this.fetchIpv6NetworkOfferingConfiguration()
+      this.fetchRoutedNetworkConfiguration()
+      this.fetchSupportedServiceData()
+    },
+    isAdmin () {
+      return isAdmin()
+    },
+    fetchIpv6NetworkOfferingConfiguration () {
+      this.ipv6NetworkOfferingEnabled = false
+      const params = { name: 'ipv6.offering.enabled' }
+      getAPI('listConfigurations', params).then(json => {
+        const value = json?.listconfigurationsresponse?.configuration?.[0].value || null
+        this.ipv6NetworkOfferingEnabled = value === 'true'
+      })
+    },
+    fetchRoutedNetworkConfiguration () {
+      this.routedNetworkEnabled = false
+      const params = { name: 'routed.network.vpc.enabled' }
+      getAPI('listConfigurations', params).then(json => {
+        const value = json?.listconfigurationsresponse?.configuration?.[0].value || null
+        this.routedNetworkEnabled = value === 'true'
+        if (!this.routedNetworkEnabled) {
+          this.networkmodes.pop()
+        }
+      })
+    },
+    fetchDomainData () {
+      const params = {}
+      params.listAll = true
+      params.showicon = true
+      params.details = 'min'
+      this.domainLoading = true
+      getAPI('listDomains', params).then(json => {
+        const listDomains = json.listdomainsresponse.domain
+        this.domains = this.domains.concat(listDomains)
+      }).finally(() => {
+        this.domainLoading = false
+      })
+    },
+    fetchZoneData () {
+      const params = {}
+      params.showicon = true
+      this.zoneLoading = true
+      getAPI('listZones', params).then(json => {
+        const listZones = json.listzonesresponse.zone
+        if (listZones) {
+          this.zones = this.zones.concat(listZones)
+        }
+      }).finally(() => {
+        this.zoneLoading = false
+      })
+    },
+    fetchSupportedServiceData () {
+      this.supportedServiceLoading = true
+      getAPI('listSupportedNetworkServices', {}).then(json => {
+        const networkServices = json.listsupportednetworkservicesresponse.networkservice || []
+
+        let services = []
+        if (this.provider === 'NSX') {
+          services = this.buildNsxServices(networkServices)
+        } else if (this.provider === 'Netris') {
+          services = this.buildNetrisServices(networkServices)
+        } else {
+          services = this.buildDefaultServices(networkServices)
+        }
+
+        if (this.networkmode === 'ROUTED') {
+          services = services.filter(service => {
+            return !['SourceNat', 'StaticNat', 'Lb', 'PortForwarding', 'Vpn'].includes(service.name)
+          })
+          if (['NSX', 'Netris'].includes(this.provider)) {
+            services.push({
+              name: 'Gateway',
+              description: 'Gateway',
+              enabled: true,
+              provider: [{ name: this.provider }]
+            })
+          }
+        }
+
+        for (const i in services) {
+          services[i].description = services[i].name
+        }
+
+        this.supportedServices = services
+        this.supportedServiceLoading = false
+
+        this.$nextTick(() => {
+          this.populateFormFromResource()
+        })
+      })
+    },
+    buildNsxServices (networkServices) {
+      return [
+        { name: 'Dhcp', enabled: true, provider: [{ name: 'VpcVirtualRouter' }] },
+        { name: 'Dns', enabled: true, provider: [{ name: 'VpcVirtualRouter' }] },
+        { name: 'Lb', enabled: true, provider: [{ name: 'Nsx' }] },
+        { name: 'StaticNat', enabled: true, provider: [{ name: 'Nsx' }] },
+        { name: 'SourceNat', enabled: true, provider: [{ name: 'Nsx' }] },
+        { name: 'NetworkACL', enabled: true, provider: [{ name: 'Nsx' }] },
+        { name: 'PortForwarding', enabled: true, provider: [{ name: 'Nsx' }] },
+        { name: 'UserData', enabled: true, provider: [{ name: 'VpcVirtualRouter' }] }
+      ]
+    },
+    buildNetrisServices (networkServices) {
+      return [
+        { name: 'Dhcp', enabled: true, provider: [{ name: 'VpcVirtualRouter' }] },
+        { name: 'Dns', enabled: true, provider: [{ name: 'VpcVirtualRouter' }] },
+        { name: 'Lb', enabled: true, provider: [{ name: 'Netris' }] },
+        { name: 'StaticNat', enabled: true, provider: [{ name: 'Netris' }] },
+        { name: 'SourceNat', enabled: true, provider: [{ name: 'Netris' }] },
+        { name: 'NetworkACL', enabled: true, provider: [{ name: 'Netris' }] },
+        { name: 'PortForwarding', enabled: true, provider: [{ name: 'Netris' }] },
+        { name: 'UserData', enabled: true, provider: [{ name: 'VpcVirtualRouter' }] }
+      ]
+    },
+    buildDefaultServices (networkServices) {
+      return [
+        { name: 'Dhcp', provider: [{ name: 'VpcVirtualRouter' }, { name: 'ConfigDrive' }] },
+        { name: 'Dns', provider: [{ name: 'VpcVirtualRouter' }, { name: 'ConfigDrive' }] },
+        { name: 'Lb', provider: [{ name: 'VpcVirtualRouter' }, { name: 'InternalLbVm' }] },
+        { name: 'Gateway', provider: [{ name: 'VpcVirtualRouter' }, { name: 'BigSwitchBcf' }] },
+        { name: 'StaticNat', provider: [{ name: 'VpcVirtualRouter' }, { name: 'BigSwitchBcf' }] },
+        { name: 'SourceNat', provider: [{ name: 'VpcVirtualRouter' }, { name: 'BigSwitchBcf' }] },
+        { name: 'NetworkACL', provider: [{ name: 'VpcVirtualRouter' }, { name: 'BigSwitchBcf' }] },
+        { name: 'PortForwarding', provider: [{ name: 'VpcVirtualRouter' }] },
+        { name: 'UserData', provider: [{ name: 'VpcVirtualRouter' }, { name: 'ConfigDrive' }] },
+        { name: 'Vpn', provider: [{ name: 'VpcVirtualRouter' }, { name: 'BigSwitchBcf' }] },
+        { name: 'Connectivity', provider: [{ name: 'BigSwitchBcf' }, { name: 'NiciraNvp' }, { name: 'Ovs' }, { name: 'JuniperContrailVpcRouter' }] }
+      ]
+    },
+    populateFormFromResource () {
+      if (!this.resource) return
+
+      const r = this.resource
+      this.form.name = r.name + ' - Clone'
+      this.form.displaytext = r.displaytext || r.name
+
+      if (r.internetprotocol) {
+        this.form.internetprotocol = r.internetprotocol.toLowerCase()
+        this.internetProtocolValue = r.internetprotocol.toLowerCase()
+      }
+
+      if (r.service && Array.isArray(r.service)) {
+        const networkAclService = r.service.find(svc => svc.name === 'NetworkACL')
+        if (networkAclService && networkAclService.provider && networkAclService.provider.length > 0) {
+          const providerName = networkAclService.provider[0].name
+          if (providerName === 'Nsx') {
+            this.provider = 'NSX'
+            this.form.provider = 'NSX'
+          } else if (providerName === 'Netris') {
+            this.provider = 'Netris'
+            this.form.provider = 'Netris'
+          }
+        }
+      }
+
+      if (r.networkmode) {
+        this.networkmode = r.networkmode
+        this.form.networkmode = r.networkmode
+      }
+
+      if (r.routingmode) {
+        this.routingMode = r.routingmode
+        this.form.routingmode = r.routingmode
+      }
+
+      if (r.serviceofferingid) {
+        this.form.serviceofferingid = r.serviceofferingid
+      }
+
+      if (r.service && Array.isArray(r.service)) {
+        const sourceServiceMap = {}
+        r.service.forEach(svc => {
+          if (svc.provider && svc.provider.length > 0) {
+            const providerName = svc.provider[0].name
+            sourceServiceMap[svc.name] = providerName
+          }
+        })
+
+        this.serviceProviderMap = sourceServiceMap
+
+        const updatedServices = this.supportedServices.map(svc => {
+          const serviceCopy = { ...svc, provider: [...svc.provider] }
+
+          if (sourceServiceMap[serviceCopy.name]) {
+            const providerName = sourceServiceMap[serviceCopy.name]
+            const providerIndex = serviceCopy.provider.findIndex(p => p.name === providerName)
+
+            if (providerIndex > 0) {
+              const targetProvider = serviceCopy.provider[providerIndex]
+              serviceCopy.provider.splice(providerIndex, 1)
+              serviceCopy.provider.unshift(targetProvider)
+            }
+
+            serviceCopy.defaultChecked = true
+            serviceCopy.selectedProvider = providerName
+            this.selectedServiceProviderMap[serviceCopy.name] = providerName
+          } else {
+            serviceCopy.defaultChecked = false
+            serviceCopy.selectedProvider = null
+          }
+          return serviceCopy
+        })
+
+        this.supportedServices = updatedServices
+
+        this.connectivityServiceChecked = Boolean(this.selectedServiceProviderMap.Connectivity)
+        this.sourceNatServiceChecked = Boolean(this.selectedServiceProviderMap.SourceNat)
+
+        this.$nextTick(() => {
+          this.servicesReady = true
+          this.$nextTick(() => {
+            this.checkVpcVirtualRouterForServices()
+          })
+        })
+      }
+
+      if (r.service && Array.isArray(r.service)) {
+        const connectivityService = r.service.find(svc => svc.name === 'Connectivity')
+        if (connectivityService && connectivityService.capability) {
+          const regionLevelCapability = connectivityService.capability.find(cap => cap.name === 'RegionLevelVpc')
+          if (regionLevelCapability) {
+            this.form.regionlevelvpc = regionLevelCapability.value === 'true'
+          }
+          const distributedRouterCapability = connectivityService.capability.find(cap => cap.name === 'DistributedRouter')
+          if (distributedRouterCapability) {
+            this.form.distributedrouter = distributedRouterCapability.value === 'true'
+          }
+        }
+
+        const sourceNatService = r.service.find(svc => svc.name === 'SourceNat')
+        if (sourceNatService && sourceNatService.capability) {
+          const redundantRouterCapability = sourceNatService.capability.find(cap => cap.name === 'RedundantRouter')
+          if (redundantRouterCapability) {
+            this.form.redundantrouter = redundantRouterCapability.value === 'true'
+          }
+        }
+
+        const gatewayService = r.service.find(svc => svc.name === 'Gateway')
+        if (gatewayService && gatewayService.capability) {
+          const redundantRouterCapability = gatewayService.capability.find(cap => cap.name === 'RedundantRouter')
+          if (redundantRouterCapability) {
+            this.form.redundantrouter = redundantRouterCapability.value === 'true'
+          }
+        }
+      }
+
+      if (this.provider === 'NSX') {
+        this.form.nsxsupportlb = Boolean(this.serviceProviderMap.Lb)
+      }
+    },
+    async handleProviderChange (value) {
+      this.provider = value
+      if (this.provider === 'NSX') {
+        this.form.nsxsupportlb = true
+        this.handleNsxLbService(true)
+      }
+      this.fetchSupportedServiceData()
+    },
+    handleNsxLbService (supportLb) {
+      if (!supportLb) {
+        this.supportedServices = this.supportedServices.filter(svc => svc.name !== 'Lb')
+        delete this.selectedServiceProviderMap.Lb
+      } else {
+        const lbExists = this.supportedServices.some(svc => svc.name === 'Lb')
+        if (!lbExists) {
+          this.supportedServices.push({
+            name: 'Lb',
+            description: 'Lb',
+            enabled: true,
+            provider: [{ name: 'Nsx' }]
+          })
+        }
+      }
+    },
+    handleSupportedServiceChange (service, checked, provider) {
+      if (checked) {
+        const correctProvider = this.serviceProviderMap[service]
+        if (correctProvider && provider !== correctProvider) {
+          this.selectedServiceProviderMap[service] = correctProvider
+        } else {
+          this.selectedServiceProviderMap[service] = provider
+        }
+      } else {
+        delete this.selectedServiceProviderMap[service]
+      }
+
+      if (service === 'Connectivity') {
+        this.connectivityServiceChecked = checked
+      }
+      if (service === 'SourceNat') {
+        this.sourceNatServiceChecked = checked
+      }
+
+      this.checkVpcVirtualRouterForServices()
+    },
+    checkVpcVirtualRouterForServices () {
+      this.isVpcVirtualRouterForAtLeastOneService = false
+      const providers = Object.values(this.selectedServiceProviderMap)
+      for (const provider of providers) {
+        if (provider === 'VpcVirtualRouter') {
+          this.isVpcVirtualRouterForAtLeastOneService = true
+          break
+        }
+      }
+      if (this.isVpcVirtualRouterForAtLeastOneService && this.serviceOfferings.length === 0) {
+        this.fetchServiceOfferingData()
+      }
+    },
+    handleForNetworkModeChange (networkMode) {
+      this.networkmode = networkMode
+      this.fetchSupportedServiceData()
+    },
+    fetchServiceOfferingData () {
+      const params = {}
+      params.issystem = true
+      params.systemvmtype = 'domainrouter'
+      this.serviceOfferingLoading = true
+      getAPI('listServiceOfferings', params).then(json => {
+        const listServiceOfferings = json.listserviceofferingsresponse.serviceoffering
+        this.serviceOfferings = this.serviceOfferings.concat(listServiceOfferings)
+      }).finally(() => {
+        this.serviceOfferingLoading = false
+      })
+    },
+    handleSubmit (e) {
+      if (e) {
+        e.preventDefault()
+      }
+      if (this.loading) return
+      this.formRef.value.validate().then(() => {
+        const formRaw = toRaw(this.form)
+        const values = this.handleRemoveFields(formRaw)
+        const params = {
+          sourceofferingid: this.resource.id,
+          name: values.name
+        }
+        if (values.displaytext) {
+          params.displaytext = values.displaytext
+        }
+
+        if (values.ispublic !== true) {
+          const domainIndexes = values.domainid
+          let domainId = null
+          if (domainIndexes && domainIndexes.length > 0) {
+            const domainIds = []
+            for (let i = 0; i < domainIndexes.length; i++) {
+              domainIds.push(this.domains[domainIndexes[i]].id)
+            }
+            domainId = domainIds.join(',')
+          }
+          if (domainId) {
+            params.domainid = domainId
+          }
+        }
+
+        const zoneIndexes = values.zoneid
+        let zoneId = null
+        if (zoneIndexes && zoneIndexes.length > 0) {
+          const zoneIds = []
+          for (let j = 0; j < zoneIndexes.length; j++) {
+            zoneIds.push(this.zones[zoneIndexes[j]].id)
+          }
+          zoneId = zoneIds.join(',')
+        }
+        if (zoneId) {
+          params.zoneid = zoneId
+        }
+
+        if (values.internetprotocol) {
+          params.internetprotocol = values.internetprotocol
+        }
+
+        const forNsx = values.provider === 'NSX'
+        if (forNsx) {
+          params.provider = 'NSX'
+          params.nsxsupportlb = values.nsxsupportlb
+        }
+        const forNetris = values.provider === 'Netris'
+        if (forNetris) {
+          params.provider = 'Netris'
+        }
+
+        if (values.networkmode) {
+          params.networkmode = values.networkmode
+        }
+
+        if (values.specifyasnumber !== undefined) {
+          params.specifyasnumber = values.specifyasnumber
+        }
+
+        if (values.routingmode) {
+          params.routingmode = values.routingmode
+        }
+
+        if (this.selectedServiceProviderMap != null) {
+          const supportedServices = Object.keys(this.selectedServiceProviderMap)
+          if (!forNsx && !forNetris) {
+            params.supportedservices = supportedServices.join(',')
+          }
+          for (const k in supportedServices) {
+            params['serviceProviderList[' + k + '].service'] = supportedServices[k]
+            params['serviceProviderList[' + k + '].provider'] = this.selectedServiceProviderMap[supportedServices[k]]
+          }
+          buildVpcServiceCapabilityParams(params, values, this.selectedServiceProviderMap, this.isVpcVirtualRouterForAtLeastOneService)
+        } else {
+          params.supportedservices = ''
+        }
+
+        if (values.enable !== undefined) {
+          params.enable = values.enable
+        }
+
+        this.loading = true
+        postAPI('cloneVPCOffering', params).then(json => {
+          this.$message.success(`${this.$t('message.success.clone.vpc.offering')} ${values.name}`)
+          this.$emit('refresh-data')
+          this.closeAction()
+        }).catch(error => {
+          this.$notifyError(error)
+        }).finally(() => {
+          this.loading = false
+        })
+      }).catch(error => {
+        this.formRef.value.scrollToField(error.errorFields[0].name)
+      })
+    },
+    closeAction () {
+      this.$emit('close-action')
+    }
+  }
+}
+</script>
+
+<style scoped lang="scss">
+  .form-layout {
+    width: 80vw;
+
+    @media (min-width: 800px) {
+      width: 500px;
+    }
+  }
+
+  .supported-services-container {
+    height: 250px;
+    overflow: auto;
+  }
+</style>
diff --git a/utils/src/main/java/com/cloud/utils/script/Script.java b/utils/src/main/java/com/cloud/utils/script/Script.java
index 8544ee14c86..5a92d12eeda 100644
--- a/utils/src/main/java/com/cloud/utils/script/Script.java
+++ b/utils/src/main/java/com/cloud/utils/script/Script.java
@@ -31,6 +31,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
 import java.util.concurrent.Callable;
@@ -44,6 +45,7 @@ import java.util.concurrent.TimeoutException;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Collectors;
 
+import org.apache.commons.collections4.MapUtils;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.logging.log4j.LogManager;
@@ -243,6 +245,14 @@ public class Script implements Callable<String> {
     }
 
     public String execute(OutputInterpreter interpreter) {
+        return executeInternal(interpreter, null);
+    }
+
+    public String execute(OutputInterpreter interpreter, Map<String, String> environment) {
+        return executeInternal(interpreter, environment);
+    }
+
+    private String executeInternal(OutputInterpreter interpreter, Map<String, String> environment) {
         String[] command = _command.toArray(new String[_command.size()]);
         String commandLine = buildCommandLine(command);
         if (_logger.isDebugEnabled() ) {
@@ -254,11 +264,19 @@ public class Script implements Callable<String> {
 
             ProcessBuilder pb = new ProcessBuilder(command);
             pb.redirectErrorStream(true);
-            if (_workDir != null)
+
+            if (MapUtils.isNotEmpty(environment)) {
+                Map<String, String> processEnvironment = pb.environment();
+                processEnvironment.putAll(environment);
+            }
+
+            if (_workDir != null) {
                 pb.directory(new File(_workDir));
+            }
 
             _logger.trace(String.format("Starting process for command [%s].", commandLine));
             _process = pb.start();
+
             if (_process == null) {
                 _logger.warn(String.format("Unable to execute command [%s] because no process was created.", commandLine));
                 return "Unable to execute the command: " + command[0];