feat: add methods to enable and disable single routes

2026-04-05 12:32:58 +01:00 · 2022-09-16 11:33:14 +02:00
parent f71ca49693
commit 3b9ce04ec8
10 changed files with 512 additions and 237 deletions
@@ -26,7 +26,8 @@ func machineCommands() *coral.Command {
 	command.AddCommand(expireMachineCommand())
 	command.AddCommand(listMachinesCommand())
 	command.AddCommand(getMachineRoutesCommand())
-	command.AddCommand(setMachineRoutesCommand())
+	command.AddCommand(enableMachineRoutesCommand())
+	command.AddCommand(disableMachineRoutesCommand())
 	command.AddCommand(enableMachineKeyExpiryCommand())
 	command.AddCommand(disableMachineKeyExpiryCommand())

@@ -109,6 +110,22 @@ func getMachineCommand() *coral.Command {
 			}
 		}

+		for i, t := range m.AdvertisedRoutes {
+			if i == 0 {
+				fmt.Fprintf(w, "%s\t%s\n", "Advertised routes", t)
+			} else {
+				fmt.Fprintf(w, "%s\t%s\n", "", t)
+			}
+		}
+
+		for i, t := range m.EnabledRoutes {
+			if i == 0 {
+				fmt.Fprintf(w, "%s\t%s\n", "Enabled routes", t)
+			} else {
+				fmt.Fprintf(w, "%s\t%s\n", "", t)
+			}
+		}
+
 		return nil
 	}

@@ -262,11 +279,25 @@ func getMachineRoutesCommand() *coral.Command {
 			return err
 		}

-		tbl := table.New("ROUTE", "ALLOWED")
-		for _, r := range resp.Msg.Routes {
-			tbl.AddRow(r.Advertised, r.Allowed)
+		w := new(tabwriter.Writer)
+		w.Init(os.Stdout, 8, 8, 0, '\t', 0)
+		defer w.Flush()
+
+		for i, t := range resp.Msg.AdvertisedRoutes {
+			if i == 0 {
+				fmt.Fprintf(w, "%s\t%s\n", "Advertised routes", t)
+			} else {
+				fmt.Fprintf(w, "%s\t%s\n", "", t)
+			}
+		}
+
+		for i, t := range resp.Msg.EnabledRoutes {
+			if i == 0 {
+				fmt.Fprintf(w, "%s\t%s\n", "Enabled routes", t)
+			} else {
+				fmt.Fprintf(w, "%s\t%s\n", "", t)
+			}
 		}
-		tbl.Print()

 		return nil
 	}
@@ -274,19 +305,21 @@ func getMachineRoutesCommand() *coral.Command {
 	return command
 }

-func setMachineRoutesCommand() *coral.Command {
+func enableMachineRoutesCommand() *coral.Command {
 	command := &coral.Command{
-		Use:          "set-routes",
-		Short:        "Set the enabled routes for a given machine",
+		Use:          "enable-routes",
+		Short:        "Enable routes for a given machine",
 		SilenceUsage: true,
 	}

 	var machineID uint64
-	var allowedIps []string
+	var routes []string
+	var replace bool
 	var target = Target{}
 	target.prepareCommand(command)
 	command.Flags().Uint64Var(&machineID, "machine-id", 0, "Machine ID")
-	command.Flags().StringSliceVar(&allowedIps, "allowed-ips", []string{}, "List of routes to enable")
+	command.Flags().StringSliceVar(&routes, "routes", []string{}, "List of routes to enable")
+	command.Flags().BoolVar(&replace, "replace", false, "Replace current enabled routes with this new list")

 	_ = command.MarkFlagRequired("machine-id")

@@ -296,26 +329,97 @@ func setMachineRoutesCommand() *coral.Command {
 			return err
 		}

-		var prefixes []netaddr.IPPrefix
-		for _, r := range allowedIps {
-			p, err := netaddr.ParseIPPrefix(r)
-			if err != nil {
+		for _, r := range routes {
+			if _, err := netaddr.ParseIPPrefix(r); err != nil {
 				return err
 			}
-			prefixes = append(prefixes, p)
 		}

-		req := api.SetMachineRoutesRequest{MachineId: machineID, AllowedIps: allowedIps}
-		resp, err := client.SetMachineRoutes(context.Background(), connect.NewRequest(&req))
+		req := api.EnableMachineRoutesRequest{MachineId: machineID, Routes: routes, Replace: replace}
+		resp, err := client.EnableMachineRoutes(context.Background(), connect.NewRequest(&req))
 		if err != nil {
 			return err
 		}

-		tbl := table.New("ROUTE", "ALLOWED")
-		for _, r := range resp.Msg.Routes {
-			tbl.AddRow(r.Advertised, r.Allowed)
+		w := new(tabwriter.Writer)
+		w.Init(os.Stdout, 8, 8, 0, '\t', 0)
+		defer w.Flush()
+
+		for i, t := range resp.Msg.AdvertisedRoutes {
+			if i == 0 {
+				fmt.Fprintf(w, "%s\t%s\n", "Advertised routes", t)
+			} else {
+				fmt.Fprintf(w, "%s\t%s\n", "", t)
+			}
+		}
+
+		for i, t := range resp.Msg.EnabledRoutes {
+			if i == 0 {
+				fmt.Fprintf(w, "%s\t%s\n", "Enabled routes", t)
+			} else {
+				fmt.Fprintf(w, "%s\t%s\n", "", t)
+			}
+		}
+
+		return nil
+	}
+
+	return command
+}
+
+func disableMachineRoutesCommand() *coral.Command {
+	command := &coral.Command{
+		Use:          "disable-routes",
+		Short:        "Disable routes for a given machine",
+		SilenceUsage: true,
+	}
+
+	var machineID uint64
+	var routes []string
+	var target = Target{}
+	target.prepareCommand(command)
+	command.Flags().Uint64Var(&machineID, "machine-id", 0, "Machine ID")
+	command.Flags().StringSliceVar(&routes, "routes", []string{}, "List of routes to enable")
+
+	_ = command.MarkFlagRequired("machine-id")
+
+	command.RunE = func(command *coral.Command, args []string) error {
+		client, err := target.createGRPCClient()
+		if err != nil {
+			return err
+		}
+
+		for _, r := range routes {
+			if _, err := netaddr.ParseIPPrefix(r); err != nil {
+				return err
+			}
+		}
+
+		req := api.DisableMachineRoutesRequest{MachineId: machineID, Routes: routes}
+		resp, err := client.DisableMachineRoutes(context.Background(), connect.NewRequest(&req))
+		if err != nil {
+			return err
+		}
+
+		w := new(tabwriter.Writer)
+		w.Init(os.Stdout, 8, 8, 0, '\t', 0)
+		defer w.Flush()
+
+		for i, t := range resp.Msg.AdvertisedRoutes {
+			if i == 0 {
+				fmt.Fprintf(w, "%s\t%s\n", "Advertised routes", t)
+			} else {
+				fmt.Fprintf(w, "%s\t%s\n", "", t)
+			}
+		}
+
+		for i, t := range resp.Msg.EnabledRoutes {
+			if i == 0 {
+				fmt.Fprintf(w, "%s\t%s\n", "Enabled routes", t)
+			} else {
+				fmt.Fprintf(w, "%s\t%s\n", "", t)
+			}
 		}
-		tbl.Print()

 		return nil
 	}
@@ -126,6 +126,47 @@ func (IP) GormDBDataType(db *gorm.DB, field *schema.Field) string {

 type AllowIPs []netip.Prefix

+type AllowIPsSet struct {
+	items map[netip.Prefix]bool
+}
+
+func NewAllowIPsSet(t AllowIPs) *AllowIPsSet {
+	s := &AllowIPsSet{}
+	return s.Add(t...)
+}
+
+func (s *AllowIPsSet) Add(t ...netip.Prefix) *AllowIPsSet {
+	if s.items == nil {
+		s.items = make(map[netip.Prefix]bool)
+	}
+
+	for _, v := range t {
+		s.items[v] = true
+	}
+
+	return s
+}
+
+func (s *AllowIPsSet) Remove(t ...netip.Prefix) *AllowIPsSet {
+	if s.items == nil {
+		return s
+	}
+
+	for _, v := range t {
+		delete(s.items, v)
+	}
+
+	return s
+}
+
+func (s *AllowIPsSet) Items() []netip.Prefix {
+	items := []netip.Prefix{}
+	for i := range s.items {
+		items = append(items, i)
+	}
+	return items
+}
+
 func (hi *AllowIPs) Scan(destination interface{}) error {
 	switch value := destination.(type) {
 	case []byte:
@@ -21,13 +21,23 @@ func (s *Service) machineToApi(m *domain.Machine) *api.Machine {
 	if m.NameIdx != 0 {
 		name = fmt.Sprintf("%s-%d", m.Name, m.NameIdx)
 	}
-	// TODO connected?
+
 	online := false
 	if m.LastSeen != nil {
 		lastSeen = timestamppb.New(*m.LastSeen)
 		online = m.LastSeen.After(time.Now().Add(-config.KeepAliveInterval))
 	}

+	var advertisedRoutes []string
+	for _, r := range m.HostInfo.RoutableIPs {
+		advertisedRoutes = append(advertisedRoutes, r.String())
+	}
+
+	var enabledRoutes []string
+	for _, r := range m.AllowIPs {
+		enabledRoutes = append(enabledRoutes, r.String())
+	}
+
 	return &api.Machine{
 		Id:                m.ID,
 		Name:              name,
@@ -53,6 +63,8 @@ func (s *Service) machineToApi(m *domain.Machine) *api.Machine {
 		ClientConnectivity: &api.ClientConnectivity{
 			Endpoints: m.Endpoints,
 		},
+		AdvertisedRoutes: advertisedRoutes,
+		EnabledRoutes:    enabledRoutes,
 	}
 }

@@ -156,6 +168,25 @@ func (s *Service) ExpireMachine(ctx context.Context, req *connect.Request[api.Ex
 	return connect.NewResponse(&api.ExpireMachineResponse{}), nil
 }

+func (s *Service) createMachineRoutesResponse(m *domain.Machine) (*connect.Response[api.GetMachineRoutesResponse], error) {
+	var advertisedRoutes []string
+	for _, r := range m.HostInfo.RoutableIPs {
+		advertisedRoutes = append(advertisedRoutes, r.String())
+	}
+
+	var enabledRoutes []string
+	for _, r := range m.AllowIPs {
+		enabledRoutes = append(enabledRoutes, r.String())
+	}
+
+	response := api.GetMachineRoutesResponse{
+		AdvertisedRoutes: advertisedRoutes,
+		EnabledRoutes:    enabledRoutes,
+	}
+
+	return connect.NewResponse(&response), nil
+}
+
 func (s *Service) GetMachineRoutes(ctx context.Context, req *connect.Request[api.GetMachineRoutesRequest]) (*connect.Response[api.GetMachineRoutesResponse], error) {
 	principal := CurrentPrincipal(ctx)

@@ -172,22 +203,10 @@ func (s *Service) GetMachineRoutes(ctx context.Context, req *connect.Request[api
 		return nil, connect.NewError(connect.CodePermissionDenied, errors.New("permission denied"))
 	}

-	var routes []*api.RoutableIP
-	for _, r := range m.HostInfo.RoutableIPs {
-		routes = append(routes, &api.RoutableIP{
-			Advertised: r.String(),
-			Allowed:    m.IsAllowedIPPrefix(r),
-		})
-	}
-
-	response := api.GetMachineRoutesResponse{
-		Routes: routes,
-	}
-
-	return connect.NewResponse(&response), nil
+	return s.createMachineRoutesResponse(m)
 }

-func (s *Service) SetMachineRoutes(ctx context.Context, req *connect.Request[api.SetMachineRoutesRequest]) (*connect.Response[api.GetMachineRoutesResponse], error) {
+func (s *Service) EnableMachineRoutes(ctx context.Context, req *connect.Request[api.EnableMachineRoutesRequest]) (*connect.Response[api.GetMachineRoutesResponse], error) {
 	principal := CurrentPrincipal(ctx)

 	m, err := s.repository.GetMachine(ctx, req.Msg.MachineId)
@@ -203,35 +222,68 @@ func (s *Service) SetMachineRoutes(ctx context.Context, req *connect.Request[api
 		return nil, connect.NewError(connect.CodePermissionDenied, errors.New("permission denied"))
 	}

-	var allowedIps []netip.Prefix
-	for _, r := range req.Msg.AllowedIps {
+	var enabledRoutes = domain.NewAllowIPsSet(m.AllowIPs)
+
+	if req.Msg.Replace {
+		enabledRoutes = domain.NewAllowIPsSet([]netip.Prefix{})
+	}
+
+	var routesToBeRemoved []netip.Prefix
+	for _, r := range req.Msg.Routes {
 		prefix, err := netip.ParsePrefix(r)
 		if err != nil {
 			return nil, err
 		}
-		allowedIps = append(allowedIps, prefix)
+		enabledRoutes.Add(prefix)
+		routesToBeRemoved = append(routesToBeRemoved, prefix)
 	}

-	m.AllowIPs = allowedIps
+	m.AllowIPs = enabledRoutes.Items()
 	if err := s.repository.SaveMachine(ctx, m); err != nil {
 		return nil, err
 	}

 	s.pubsub.Publish(m.TailnetID, &broker.Signal{PeerUpdated: &m.ID})

-	var routes []*api.RoutableIP
-	for _, r := range m.HostInfo.RoutableIPs {
-		routes = append(routes, &api.RoutableIP{
-			Advertised: r.String(),
-			Allowed:    m.IsAllowedIPPrefix(r),
-		})
+	return s.createMachineRoutesResponse(m)
+}
+
+func (s *Service) DisableMachineRoutes(ctx context.Context, req *connect.Request[api.DisableMachineRoutesRequest]) (*connect.Response[api.GetMachineRoutesResponse], error) {
+	principal := CurrentPrincipal(ctx)
+
+	m, err := s.repository.GetMachine(ctx, req.Msg.MachineId)
+	if err != nil {
+		return nil, err
 	}

-	response := api.GetMachineRoutesResponse{
-		Routes: routes,
+	if m == nil {
+		return nil, connect.NewError(connect.CodeNotFound, errors.New("machine not found"))
 	}

-	return connect.NewResponse(&response), nil
+	if !principal.IsSystemAdmin() && !principal.IsTailnetAdmin(m.TailnetID) {
+		return nil, connect.NewError(connect.CodePermissionDenied, errors.New("permission denied"))
+	}
+
+	enabledRoutes := domain.NewAllowIPsSet(m.AllowIPs)
+
+	var routesToBeRemoved []netip.Prefix
+	for _, r := range req.Msg.Routes {
+		prefix, err := netip.ParsePrefix(r)
+		if err != nil {
+			return nil, err
+		}
+		enabledRoutes.Remove(prefix)
+		routesToBeRemoved = append(routesToBeRemoved, prefix)
+	}
+
+	m.AllowIPs = enabledRoutes.Items()
+	if err := s.repository.SaveMachine(ctx, m); err != nil {
+		return nil, err
+	}
+
+	s.pubsub.Publish(m.TailnetID, &broker.Signal{PeerUpdated: &m.ID})
+
+	return s.createMachineRoutesResponse(m)
 }

 func (s *Service) SetMachineKeyExpiry(ctx context.Context, req *connect.Request[api.SetMachineKeyExpiryRequest]) (*connect.Response[api.SetMachineKeyExpiryResponse], error) {
@@ -48,7 +48,7 @@ var file_ionscale_v1_ionscale_proto_rawDesc = []byte{
 	0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31,
 	0x2f, 0x61, 0x63, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x16, 0x69, 0x6f, 0x6e, 0x73,
 	0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x72, 0x70, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x32, 0xce, 0x12, 0x0a, 0x0f, 0x49, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x53,
+	0x74, 0x6f, 0x32, 0xbf, 0x13, 0x0a, 0x0f, 0x49, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x53,
 	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x4f, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x56, 0x65, 0x72,
 	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x1e, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
 	0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71,
@@ -191,17 +191,24 @@ var file_ionscale_v1_ionscale_proto_rawDesc = []byte{
 	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61,
 	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
 	0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
-	0x12, 0x61, 0x0a, 0x10, 0x53, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x73, 0x12, 0x24, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x53, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75,
-	0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x69, 0x6f, 0x6e,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x00, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
-	0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x12, 0x67, 0x0a, 0x13, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x27, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68,
+	0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x25, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47,
+	0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x69, 0x0a, 0x14, 0x44, 0x69, 0x73,
+	0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x73, 0x12, 0x28, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x69, 0x6f,
+	0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x22, 0x00, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var file_ionscale_v1_ionscale_proto_goTypes = []interface{}{
@@ -231,33 +238,34 @@ var file_ionscale_v1_ionscale_proto_goTypes = []interface{}{
 	(*DeleteMachineRequest)(nil),        // 23: ionscale.v1.DeleteMachineRequest
 	(*SetMachineKeyExpiryRequest)(nil),  // 24: ionscale.v1.SetMachineKeyExpiryRequest
 	(*GetMachineRoutesRequest)(nil),     // 25: ionscale.v1.GetMachineRoutesRequest
-	(*SetMachineRoutesRequest)(nil),     // 26: ionscale.v1.SetMachineRoutesRequest
-	(*GetVersionResponse)(nil),          // 27: ionscale.v1.GetVersionResponse
-	(*AuthenticationResponse)(nil),      // 28: ionscale.v1.AuthenticationResponse
-	(*GetDERPMapResponse)(nil),          // 29: ionscale.v1.GetDERPMapResponse
-	(*SetDERPMapResponse)(nil),          // 30: ionscale.v1.SetDERPMapResponse
-	(*CreateTailnetResponse)(nil),       // 31: ionscale.v1.CreateTailnetResponse
-	(*GetTailnetResponse)(nil),          // 32: ionscale.v1.GetTailnetResponse
-	(*ListTailnetResponse)(nil),         // 33: ionscale.v1.ListTailnetResponse
-	(*DeleteTailnetResponse)(nil),       // 34: ionscale.v1.DeleteTailnetResponse
-	(*GetDNSConfigResponse)(nil),        // 35: ionscale.v1.GetDNSConfigResponse
-	(*SetDNSConfigResponse)(nil),        // 36: ionscale.v1.SetDNSConfigResponse
-	(*GetIAMPolicyResponse)(nil),        // 37: ionscale.v1.GetIAMPolicyResponse
-	(*SetIAMPolicyResponse)(nil),        // 38: ionscale.v1.SetIAMPolicyResponse
-	(*GetACLPolicyResponse)(nil),        // 39: ionscale.v1.GetACLPolicyResponse
-	(*SetACLPolicyResponse)(nil),        // 40: ionscale.v1.SetACLPolicyResponse
-	(*GetAuthKeyResponse)(nil),          // 41: ionscale.v1.GetAuthKeyResponse
-	(*CreateAuthKeyResponse)(nil),       // 42: ionscale.v1.CreateAuthKeyResponse
-	(*DeleteAuthKeyResponse)(nil),       // 43: ionscale.v1.DeleteAuthKeyResponse
-	(*ListAuthKeysResponse)(nil),        // 44: ionscale.v1.ListAuthKeysResponse
-	(*ListUsersResponse)(nil),           // 45: ionscale.v1.ListUsersResponse
-	(*DeleteUserResponse)(nil),          // 46: ionscale.v1.DeleteUserResponse
-	(*GetMachineResponse)(nil),          // 47: ionscale.v1.GetMachineResponse
-	(*ListMachinesResponse)(nil),        // 48: ionscale.v1.ListMachinesResponse
-	(*ExpireMachineResponse)(nil),       // 49: ionscale.v1.ExpireMachineResponse
-	(*DeleteMachineResponse)(nil),       // 50: ionscale.v1.DeleteMachineResponse
-	(*SetMachineKeyExpiryResponse)(nil), // 51: ionscale.v1.SetMachineKeyExpiryResponse
-	(*GetMachineRoutesResponse)(nil),    // 52: ionscale.v1.GetMachineRoutesResponse
+	(*EnableMachineRoutesRequest)(nil),  // 26: ionscale.v1.EnableMachineRoutesRequest
+	(*DisableMachineRoutesRequest)(nil), // 27: ionscale.v1.DisableMachineRoutesRequest
+	(*GetVersionResponse)(nil),          // 28: ionscale.v1.GetVersionResponse
+	(*AuthenticationResponse)(nil),      // 29: ionscale.v1.AuthenticationResponse
+	(*GetDERPMapResponse)(nil),          // 30: ionscale.v1.GetDERPMapResponse
+	(*SetDERPMapResponse)(nil),          // 31: ionscale.v1.SetDERPMapResponse
+	(*CreateTailnetResponse)(nil),       // 32: ionscale.v1.CreateTailnetResponse
+	(*GetTailnetResponse)(nil),          // 33: ionscale.v1.GetTailnetResponse
+	(*ListTailnetResponse)(nil),         // 34: ionscale.v1.ListTailnetResponse
+	(*DeleteTailnetResponse)(nil),       // 35: ionscale.v1.DeleteTailnetResponse
+	(*GetDNSConfigResponse)(nil),        // 36: ionscale.v1.GetDNSConfigResponse
+	(*SetDNSConfigResponse)(nil),        // 37: ionscale.v1.SetDNSConfigResponse
+	(*GetIAMPolicyResponse)(nil),        // 38: ionscale.v1.GetIAMPolicyResponse
+	(*SetIAMPolicyResponse)(nil),        // 39: ionscale.v1.SetIAMPolicyResponse
+	(*GetACLPolicyResponse)(nil),        // 40: ionscale.v1.GetACLPolicyResponse
+	(*SetACLPolicyResponse)(nil),        // 41: ionscale.v1.SetACLPolicyResponse
+	(*GetAuthKeyResponse)(nil),          // 42: ionscale.v1.GetAuthKeyResponse
+	(*CreateAuthKeyResponse)(nil),       // 43: ionscale.v1.CreateAuthKeyResponse
+	(*DeleteAuthKeyResponse)(nil),       // 44: ionscale.v1.DeleteAuthKeyResponse
+	(*ListAuthKeysResponse)(nil),        // 45: ionscale.v1.ListAuthKeysResponse
+	(*ListUsersResponse)(nil),           // 46: ionscale.v1.ListUsersResponse
+	(*DeleteUserResponse)(nil),          // 47: ionscale.v1.DeleteUserResponse
+	(*GetMachineResponse)(nil),          // 48: ionscale.v1.GetMachineResponse
+	(*ListMachinesResponse)(nil),        // 49: ionscale.v1.ListMachinesResponse
+	(*ExpireMachineResponse)(nil),       // 50: ionscale.v1.ExpireMachineResponse
+	(*DeleteMachineResponse)(nil),       // 51: ionscale.v1.DeleteMachineResponse
+	(*SetMachineKeyExpiryResponse)(nil), // 52: ionscale.v1.SetMachineKeyExpiryResponse
+	(*GetMachineRoutesResponse)(nil),    // 53: ionscale.v1.GetMachineRoutesResponse
 }
 var file_ionscale_v1_ionscale_proto_depIdxs = []int32{
 	0,  // 0: ionscale.v1.IonscaleService.GetVersion:input_type -> ionscale.v1.GetVersionRequest
@@ -286,36 +294,38 @@ var file_ionscale_v1_ionscale_proto_depIdxs = []int32{
 	23, // 23: ionscale.v1.IonscaleService.DeleteMachine:input_type -> ionscale.v1.DeleteMachineRequest
 	24, // 24: ionscale.v1.IonscaleService.SetMachineKeyExpiry:input_type -> ionscale.v1.SetMachineKeyExpiryRequest
 	25, // 25: ionscale.v1.IonscaleService.GetMachineRoutes:input_type -> ionscale.v1.GetMachineRoutesRequest
-	26, // 26: ionscale.v1.IonscaleService.SetMachineRoutes:input_type -> ionscale.v1.SetMachineRoutesRequest
-	27, // 27: ionscale.v1.IonscaleService.GetVersion:output_type -> ionscale.v1.GetVersionResponse
-	28, // 28: ionscale.v1.IonscaleService.Authenticate:output_type -> ionscale.v1.AuthenticationResponse
-	29, // 29: ionscale.v1.IonscaleService.GetDERPMap:output_type -> ionscale.v1.GetDERPMapResponse
-	30, // 30: ionscale.v1.IonscaleService.SetDERPMap:output_type -> ionscale.v1.SetDERPMapResponse
-	31, // 31: ionscale.v1.IonscaleService.CreateTailnet:output_type -> ionscale.v1.CreateTailnetResponse
-	32, // 32: ionscale.v1.IonscaleService.GetTailnet:output_type -> ionscale.v1.GetTailnetResponse
-	33, // 33: ionscale.v1.IonscaleService.ListTailnets:output_type -> ionscale.v1.ListTailnetResponse
-	34, // 34: ionscale.v1.IonscaleService.DeleteTailnet:output_type -> ionscale.v1.DeleteTailnetResponse
-	35, // 35: ionscale.v1.IonscaleService.GetDNSConfig:output_type -> ionscale.v1.GetDNSConfigResponse
-	36, // 36: ionscale.v1.IonscaleService.SetDNSConfig:output_type -> ionscale.v1.SetDNSConfigResponse
-	37, // 37: ionscale.v1.IonscaleService.GetIAMPolicy:output_type -> ionscale.v1.GetIAMPolicyResponse
-	38, // 38: ionscale.v1.IonscaleService.SetIAMPolicy:output_type -> ionscale.v1.SetIAMPolicyResponse
-	39, // 39: ionscale.v1.IonscaleService.GetACLPolicy:output_type -> ionscale.v1.GetACLPolicyResponse
-	40, // 40: ionscale.v1.IonscaleService.SetACLPolicy:output_type -> ionscale.v1.SetACLPolicyResponse
-	41, // 41: ionscale.v1.IonscaleService.GetAuthKey:output_type -> ionscale.v1.GetAuthKeyResponse
-	42, // 42: ionscale.v1.IonscaleService.CreateAuthKey:output_type -> ionscale.v1.CreateAuthKeyResponse
-	43, // 43: ionscale.v1.IonscaleService.DeleteAuthKey:output_type -> ionscale.v1.DeleteAuthKeyResponse
-	44, // 44: ionscale.v1.IonscaleService.ListAuthKeys:output_type -> ionscale.v1.ListAuthKeysResponse
-	45, // 45: ionscale.v1.IonscaleService.ListUsers:output_type -> ionscale.v1.ListUsersResponse
-	46, // 46: ionscale.v1.IonscaleService.DeleteUser:output_type -> ionscale.v1.DeleteUserResponse
-	47, // 47: ionscale.v1.IonscaleService.GetMachine:output_type -> ionscale.v1.GetMachineResponse
-	48, // 48: ionscale.v1.IonscaleService.ListMachines:output_type -> ionscale.v1.ListMachinesResponse
-	49, // 49: ionscale.v1.IonscaleService.ExpireMachine:output_type -> ionscale.v1.ExpireMachineResponse
-	50, // 50: ionscale.v1.IonscaleService.DeleteMachine:output_type -> ionscale.v1.DeleteMachineResponse
-	51, // 51: ionscale.v1.IonscaleService.SetMachineKeyExpiry:output_type -> ionscale.v1.SetMachineKeyExpiryResponse
-	52, // 52: ionscale.v1.IonscaleService.GetMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
-	52, // 53: ionscale.v1.IonscaleService.SetMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
-	27, // [27:54] is the sub-list for method output_type
-	0,  // [0:27] is the sub-list for method input_type
+	26, // 26: ionscale.v1.IonscaleService.EnableMachineRoutes:input_type -> ionscale.v1.EnableMachineRoutesRequest
+	27, // 27: ionscale.v1.IonscaleService.DisableMachineRoutes:input_type -> ionscale.v1.DisableMachineRoutesRequest
+	28, // 28: ionscale.v1.IonscaleService.GetVersion:output_type -> ionscale.v1.GetVersionResponse
+	29, // 29: ionscale.v1.IonscaleService.Authenticate:output_type -> ionscale.v1.AuthenticationResponse
+	30, // 30: ionscale.v1.IonscaleService.GetDERPMap:output_type -> ionscale.v1.GetDERPMapResponse
+	31, // 31: ionscale.v1.IonscaleService.SetDERPMap:output_type -> ionscale.v1.SetDERPMapResponse
+	32, // 32: ionscale.v1.IonscaleService.CreateTailnet:output_type -> ionscale.v1.CreateTailnetResponse
+	33, // 33: ionscale.v1.IonscaleService.GetTailnet:output_type -> ionscale.v1.GetTailnetResponse
+	34, // 34: ionscale.v1.IonscaleService.ListTailnets:output_type -> ionscale.v1.ListTailnetResponse
+	35, // 35: ionscale.v1.IonscaleService.DeleteTailnet:output_type -> ionscale.v1.DeleteTailnetResponse
+	36, // 36: ionscale.v1.IonscaleService.GetDNSConfig:output_type -> ionscale.v1.GetDNSConfigResponse
+	37, // 37: ionscale.v1.IonscaleService.SetDNSConfig:output_type -> ionscale.v1.SetDNSConfigResponse
+	38, // 38: ionscale.v1.IonscaleService.GetIAMPolicy:output_type -> ionscale.v1.GetIAMPolicyResponse
+	39, // 39: ionscale.v1.IonscaleService.SetIAMPolicy:output_type -> ionscale.v1.SetIAMPolicyResponse
+	40, // 40: ionscale.v1.IonscaleService.GetACLPolicy:output_type -> ionscale.v1.GetACLPolicyResponse
+	41, // 41: ionscale.v1.IonscaleService.SetACLPolicy:output_type -> ionscale.v1.SetACLPolicyResponse
+	42, // 42: ionscale.v1.IonscaleService.GetAuthKey:output_type -> ionscale.v1.GetAuthKeyResponse
+	43, // 43: ionscale.v1.IonscaleService.CreateAuthKey:output_type -> ionscale.v1.CreateAuthKeyResponse
+	44, // 44: ionscale.v1.IonscaleService.DeleteAuthKey:output_type -> ionscale.v1.DeleteAuthKeyResponse
+	45, // 45: ionscale.v1.IonscaleService.ListAuthKeys:output_type -> ionscale.v1.ListAuthKeysResponse
+	46, // 46: ionscale.v1.IonscaleService.ListUsers:output_type -> ionscale.v1.ListUsersResponse
+	47, // 47: ionscale.v1.IonscaleService.DeleteUser:output_type -> ionscale.v1.DeleteUserResponse
+	48, // 48: ionscale.v1.IonscaleService.GetMachine:output_type -> ionscale.v1.GetMachineResponse
+	49, // 49: ionscale.v1.IonscaleService.ListMachines:output_type -> ionscale.v1.ListMachinesResponse
+	50, // 50: ionscale.v1.IonscaleService.ExpireMachine:output_type -> ionscale.v1.ExpireMachineResponse
+	51, // 51: ionscale.v1.IonscaleService.DeleteMachine:output_type -> ionscale.v1.DeleteMachineResponse
+	52, // 52: ionscale.v1.IonscaleService.SetMachineKeyExpiry:output_type -> ionscale.v1.SetMachineKeyExpiryResponse
+	53, // 53: ionscale.v1.IonscaleService.GetMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
+	53, // 54: ionscale.v1.IonscaleService.EnableMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
+	53, // 55: ionscale.v1.IonscaleService.DisableMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
+	28, // [28:56] is the sub-list for method output_type
+	0,  // [0:28] is the sub-list for method input_type
 	0,  // [0:0] is the sub-list for extension type_name
 	0,  // [0:0] is the sub-list for extension extendee
 	0,  // [0:0] is the sub-list for field type_name
@@ -53,7 +53,8 @@ type IonscaleServiceClient interface {
 	DeleteMachine(context.Context, *connect_go.Request[v1.DeleteMachineRequest]) (*connect_go.Response[v1.DeleteMachineResponse], error)
 	SetMachineKeyExpiry(context.Context, *connect_go.Request[v1.SetMachineKeyExpiryRequest]) (*connect_go.Response[v1.SetMachineKeyExpiryResponse], error)
 	GetMachineRoutes(context.Context, *connect_go.Request[v1.GetMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
-	SetMachineRoutes(context.Context, *connect_go.Request[v1.SetMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
+	EnableMachineRoutes(context.Context, *connect_go.Request[v1.EnableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
+	DisableMachineRoutes(context.Context, *connect_go.Request[v1.DisableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
 }

 // NewIonscaleServiceClient constructs a client for the ionscale.v1.IonscaleService service. By
@@ -196,9 +197,14 @@ func NewIonscaleServiceClient(httpClient connect_go.HTTPClient, baseURL string,
 			baseURL+"/ionscale.v1.IonscaleService/GetMachineRoutes",
 			opts...,
 		),
-		setMachineRoutes: connect_go.NewClient[v1.SetMachineRoutesRequest, v1.GetMachineRoutesResponse](
+		enableMachineRoutes: connect_go.NewClient[v1.EnableMachineRoutesRequest, v1.GetMachineRoutesResponse](
 			httpClient,
-			baseURL+"/ionscale.v1.IonscaleService/SetMachineRoutes",
+			baseURL+"/ionscale.v1.IonscaleService/EnableMachineRoutes",
+			opts...,
+		),
+		disableMachineRoutes: connect_go.NewClient[v1.DisableMachineRoutesRequest, v1.GetMachineRoutesResponse](
+			httpClient,
+			baseURL+"/ionscale.v1.IonscaleService/DisableMachineRoutes",
 			opts...,
 		),
 	}
@@ -232,7 +238,8 @@ type ionscaleServiceClient struct {
 	deleteMachine        *connect_go.Client[v1.DeleteMachineRequest, v1.DeleteMachineResponse]
 	setMachineKeyExpiry  *connect_go.Client[v1.SetMachineKeyExpiryRequest, v1.SetMachineKeyExpiryResponse]
 	getMachineRoutes     *connect_go.Client[v1.GetMachineRoutesRequest, v1.GetMachineRoutesResponse]
-	setMachineRoutes    *connect_go.Client[v1.SetMachineRoutesRequest, v1.GetMachineRoutesResponse]
+	enableMachineRoutes  *connect_go.Client[v1.EnableMachineRoutesRequest, v1.GetMachineRoutesResponse]
+	disableMachineRoutes *connect_go.Client[v1.DisableMachineRoutesRequest, v1.GetMachineRoutesResponse]
 }

 // GetVersion calls ionscale.v1.IonscaleService.GetVersion.
@@ -365,9 +372,14 @@ func (c *ionscaleServiceClient) GetMachineRoutes(ctx context.Context, req *conne
 	return c.getMachineRoutes.CallUnary(ctx, req)
 }

-// SetMachineRoutes calls ionscale.v1.IonscaleService.SetMachineRoutes.
-func (c *ionscaleServiceClient) SetMachineRoutes(ctx context.Context, req *connect_go.Request[v1.SetMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error) {
-	return c.setMachineRoutes.CallUnary(ctx, req)
+// EnableMachineRoutes calls ionscale.v1.IonscaleService.EnableMachineRoutes.
+func (c *ionscaleServiceClient) EnableMachineRoutes(ctx context.Context, req *connect_go.Request[v1.EnableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error) {
+	return c.enableMachineRoutes.CallUnary(ctx, req)
+}
+
+// DisableMachineRoutes calls ionscale.v1.IonscaleService.DisableMachineRoutes.
+func (c *ionscaleServiceClient) DisableMachineRoutes(ctx context.Context, req *connect_go.Request[v1.DisableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error) {
+	return c.disableMachineRoutes.CallUnary(ctx, req)
 }

 // IonscaleServiceHandler is an implementation of the ionscale.v1.IonscaleService service.
@@ -398,7 +410,8 @@ type IonscaleServiceHandler interface {
 	DeleteMachine(context.Context, *connect_go.Request[v1.DeleteMachineRequest]) (*connect_go.Response[v1.DeleteMachineResponse], error)
 	SetMachineKeyExpiry(context.Context, *connect_go.Request[v1.SetMachineKeyExpiryRequest]) (*connect_go.Response[v1.SetMachineKeyExpiryResponse], error)
 	GetMachineRoutes(context.Context, *connect_go.Request[v1.GetMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
-	SetMachineRoutes(context.Context, *connect_go.Request[v1.SetMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
+	EnableMachineRoutes(context.Context, *connect_go.Request[v1.EnableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
+	DisableMachineRoutes(context.Context, *connect_go.Request[v1.DisableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
 }

 // NewIonscaleServiceHandler builds an HTTP handler from the service implementation. It returns the
@@ -538,9 +551,14 @@ func NewIonscaleServiceHandler(svc IonscaleServiceHandler, opts ...connect_go.Ha
 		svc.GetMachineRoutes,
 		opts...,
 	))
-	mux.Handle("/ionscale.v1.IonscaleService/SetMachineRoutes", connect_go.NewUnaryHandler(
-		"/ionscale.v1.IonscaleService/SetMachineRoutes",
-		svc.SetMachineRoutes,
+	mux.Handle("/ionscale.v1.IonscaleService/EnableMachineRoutes", connect_go.NewUnaryHandler(
+		"/ionscale.v1.IonscaleService/EnableMachineRoutes",
+		svc.EnableMachineRoutes,
+		opts...,
+	))
+	mux.Handle("/ionscale.v1.IonscaleService/DisableMachineRoutes", connect_go.NewUnaryHandler(
+		"/ionscale.v1.IonscaleService/DisableMachineRoutes",
+		svc.DisableMachineRoutes,
 		opts...,
 	))
 	return "/ionscale.v1.IonscaleService/", mux
@@ -653,6 +671,10 @@ func (UnimplementedIonscaleServiceHandler) GetMachineRoutes(context.Context, *co
 	return nil, connect_go.NewError(connect_go.CodeUnimplemented, errors.New("ionscale.v1.IonscaleService.GetMachineRoutes is not implemented"))
 }

-func (UnimplementedIonscaleServiceHandler) SetMachineRoutes(context.Context, *connect_go.Request[v1.SetMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error) {
-	return nil, connect_go.NewError(connect_go.CodeUnimplemented, errors.New("ionscale.v1.IonscaleService.SetMachineRoutes is not implemented"))
+func (UnimplementedIonscaleServiceHandler) EnableMachineRoutes(context.Context, *connect_go.Request[v1.EnableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error) {
+	return nil, connect_go.NewError(connect_go.CodeUnimplemented, errors.New("ionscale.v1.IonscaleService.EnableMachineRoutes is not implemented"))
+}
+
+func (UnimplementedIonscaleServiceHandler) DisableMachineRoutes(context.Context, *connect_go.Request[v1.DisableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error) {
+	return nil, connect_go.NewError(connect_go.CodeUnimplemented, errors.New("ionscale.v1.IonscaleService.DisableMachineRoutes is not implemented"))
 }
@@ -494,6 +494,8 @@ type Machine struct {
 	CreatedAt          *timestamppb.Timestamp `protobuf:"bytes,14,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
 	ExpiresAt          *timestamppb.Timestamp `protobuf:"bytes,15,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"`
 	KeyExpiryDisabled  bool                   `protobuf:"varint,16,opt,name=key_expiry_disabled,json=keyExpiryDisabled,proto3" json:"key_expiry_disabled,omitempty"`
+	EnabledRoutes      []string               `protobuf:"bytes,17,rep,name=enabled_routes,json=enabledRoutes,proto3" json:"enabled_routes,omitempty"`
+	AdvertisedRoutes   []string               `protobuf:"bytes,18,rep,name=advertised_routes,json=advertisedRoutes,proto3" json:"advertised_routes,omitempty"`
 }

 func (x *Machine) Reset() {
@@ -640,6 +642,20 @@ func (x *Machine) GetKeyExpiryDisabled() bool {
 	return false
 }

+func (x *Machine) GetEnabledRoutes() []string {
+	if x != nil {
+		return x.EnabledRoutes
+	}
+	return nil
+}
+
+func (x *Machine) GetAdvertisedRoutes() []string {
+	if x != nil {
+		return x.AdvertisedRoutes
+	}
+	return nil
+}
+
 type ClientConnectivity struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -731,7 +747,7 @@ var file_ionscale_v1_machines_proto_rawDesc = []byte{
 	0x6e, 0x73, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
 	0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x65, 0x22, 0xdf, 0x04, 0x0a, 0x07, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12,
+	0x69, 0x6e, 0x65, 0x22, 0xb3, 0x05, 0x0a, 0x07, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12,
 	0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69, 0x64, 0x12,
 	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
 	0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x69, 0x70, 0x76, 0x34, 0x18, 0x03, 0x20, 0x01, 0x28,
@@ -769,14 +785,20 @@ var file_ionscale_v1_machines_proto_rawDesc = []byte{
 	0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x2e, 0x0a, 0x13, 0x6b, 0x65, 0x79, 0x5f, 0x65, 0x78, 0x70,
 	0x69, 0x72, 0x79, 0x5f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x10, 0x20, 0x01,
 	0x28, 0x08, 0x52, 0x11, 0x6b, 0x65, 0x79, 0x45, 0x78, 0x70, 0x69, 0x72, 0x79, 0x44, 0x69, 0x73,
-	0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x32, 0x0a, 0x12, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43,
-	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x65,
-	0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x09,
-	0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74,
-	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73,
-	0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65,
-	0x6e, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f,
-	0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x25, 0x0a, 0x0e, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64,
+	0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x11, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x65,
+	0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x2b, 0x0a, 0x11,
+	0x61, 0x64, 0x76, 0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65,
+	0x73, 0x18, 0x12, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x61, 0x64, 0x76, 0x65, 0x72, 0x74, 0x69,
+	0x73, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x32, 0x0a, 0x12, 0x43, 0x6c, 0x69,
+	0x65, 0x6e, 0x74, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x12,
+	0x1c, 0x0a, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03,
+	0x28, 0x09, 0x52, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x42, 0x3d, 0x5a,
+	0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65,
+	0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b,
+	0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76,
+	0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -72,7 +72,8 @@ type GetMachineRoutesResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Routes []*RoutableIP `protobuf:"bytes,1,rep,name=routes,proto3" json:"routes,omitempty"`
+	AdvertisedRoutes []string `protobuf:"bytes,1,rep,name=advertised_routes,json=advertisedRoutes,proto3" json:"advertised_routes,omitempty"`
+	EnabledRoutes    []string `protobuf:"bytes,2,rep,name=enabled_routes,json=enabledRoutes,proto3" json:"enabled_routes,omitempty"`
 }

 func (x *GetMachineRoutesResponse) Reset() {
@@ -107,24 +108,32 @@ func (*GetMachineRoutesResponse) Descriptor() ([]byte, []int) {
 	return file_ionscale_v1_routes_proto_rawDescGZIP(), []int{1}
 }

-func (x *GetMachineRoutesResponse) GetRoutes() []*RoutableIP {
+func (x *GetMachineRoutesResponse) GetAdvertisedRoutes() []string {
 	if x != nil {
-		return x.Routes
+		return x.AdvertisedRoutes
 	}
 	return nil
 }

-type SetMachineRoutesRequest struct {
+func (x *GetMachineRoutesResponse) GetEnabledRoutes() []string {
+	if x != nil {
+		return x.EnabledRoutes
+	}
+	return nil
+}
+
+type EnableMachineRoutesRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

 	MachineId uint64   `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
-	AllowedIps []string `protobuf:"bytes,2,rep,name=allowed_ips,json=allowedIps,proto3" json:"allowed_ips,omitempty"`
+	Routes    []string `protobuf:"bytes,2,rep,name=routes,proto3" json:"routes,omitempty"`
+	Replace   bool     `protobuf:"varint,3,opt,name=replace,proto3" json:"replace,omitempty"`
 }

-func (x *SetMachineRoutesRequest) Reset() {
-	*x = SetMachineRoutesRequest{}
+func (x *EnableMachineRoutesRequest) Reset() {
+	*x = EnableMachineRoutesRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_ionscale_v1_routes_proto_msgTypes[2]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -132,13 +141,13 @@ func (x *SetMachineRoutesRequest) Reset() {
 	}
 }

-func (x *SetMachineRoutesRequest) String() string {
+func (x *EnableMachineRoutesRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*SetMachineRoutesRequest) ProtoMessage() {}
+func (*EnableMachineRoutesRequest) ProtoMessage() {}

-func (x *SetMachineRoutesRequest) ProtoReflect() protoreflect.Message {
+func (x *EnableMachineRoutesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_ionscale_v1_routes_proto_msgTypes[2]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -150,36 +159,43 @@ func (x *SetMachineRoutesRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use SetMachineRoutesRequest.ProtoReflect.Descriptor instead.
-func (*SetMachineRoutesRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use EnableMachineRoutesRequest.ProtoReflect.Descriptor instead.
+func (*EnableMachineRoutesRequest) Descriptor() ([]byte, []int) {
 	return file_ionscale_v1_routes_proto_rawDescGZIP(), []int{2}
 }

-func (x *SetMachineRoutesRequest) GetMachineId() uint64 {
+func (x *EnableMachineRoutesRequest) GetMachineId() uint64 {
 	if x != nil {
 		return x.MachineId
 	}
 	return 0
 }

-func (x *SetMachineRoutesRequest) GetAllowedIps() []string {
+func (x *EnableMachineRoutesRequest) GetRoutes() []string {
 	if x != nil {
-		return x.AllowedIps
+		return x.Routes
 	}
 	return nil
 }

-type RoutableIP struct {
+func (x *EnableMachineRoutesRequest) GetReplace() bool {
+	if x != nil {
+		return x.Replace
+	}
+	return false
+}
+
+type DisableMachineRoutesRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Advertised string `protobuf:"bytes,1,opt,name=advertised,proto3" json:"advertised,omitempty"`
-	Allowed    bool   `protobuf:"varint,2,opt,name=allowed,proto3" json:"allowed,omitempty"`
+	MachineId uint64   `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
+	Routes    []string `protobuf:"bytes,2,rep,name=routes,proto3" json:"routes,omitempty"`
 }

-func (x *RoutableIP) Reset() {
-	*x = RoutableIP{}
+func (x *DisableMachineRoutesRequest) Reset() {
+	*x = DisableMachineRoutesRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_ionscale_v1_routes_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -187,13 +203,13 @@ func (x *RoutableIP) Reset() {
 	}
 }

-func (x *RoutableIP) String() string {
+func (x *DisableMachineRoutesRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*RoutableIP) ProtoMessage() {}
+func (*DisableMachineRoutesRequest) ProtoMessage() {}

-func (x *RoutableIP) ProtoReflect() protoreflect.Message {
+func (x *DisableMachineRoutesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_ionscale_v1_routes_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -205,23 +221,23 @@ func (x *RoutableIP) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use RoutableIP.ProtoReflect.Descriptor instead.
-func (*RoutableIP) Descriptor() ([]byte, []int) {
+// Deprecated: Use DisableMachineRoutesRequest.ProtoReflect.Descriptor instead.
+func (*DisableMachineRoutesRequest) Descriptor() ([]byte, []int) {
 	return file_ionscale_v1_routes_proto_rawDescGZIP(), []int{3}
 }

-func (x *RoutableIP) GetAdvertised() string {
+func (x *DisableMachineRoutesRequest) GetMachineId() uint64 {
 	if x != nil {
-		return x.Advertised
+		return x.MachineId
 	}
-	return ""
+	return 0
 }

-func (x *RoutableIP) GetAllowed() bool {
+func (x *DisableMachineRoutesRequest) GetRoutes() []string {
 	if x != nil {
-		return x.Allowed
+		return x.Routes
 	}
-	return false
+	return nil
 }

 var File_ionscale_v1_routes_proto protoreflect.FileDescriptor
@@ -233,26 +249,30 @@ var file_ionscale_v1_routes_proto_rawDesc = []byte{
 	0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
 	0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64,
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49,
-	0x64, 0x22, 0x4b, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52,
-	0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a,
-	0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e,
-	0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74,
-	0x61, 0x62, 0x6c, 0x65, 0x49, 0x50, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x59,
-	0x0a, 0x17, 0x53, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74,
-	0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d,
-	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x6c, 0x6c, 0x6f,
-	0x77, 0x65, 0x64, 0x5f, 0x69, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x61,
-	0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x22, 0x46, 0x0a, 0x0a, 0x52, 0x6f, 0x75,
-	0x74, 0x61, 0x62, 0x6c, 0x65, 0x49, 0x50, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x64, 0x76, 0x65, 0x72,
-	0x74, 0x69, 0x73, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x64, 0x76,
-	0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x6c, 0x6c, 0x6f, 0x77,
-	0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65,
-	0x64, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
-	0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31,
-	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x64, 0x22, 0x6e, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52,
+	0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2b, 0x0a,
+	0x11, 0x61, 0x64, 0x76, 0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x5f, 0x72, 0x6f, 0x75, 0x74,
+	0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x61, 0x64, 0x76, 0x65, 0x72, 0x74,
+	0x69, 0x73, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x65, 0x6e,
+	0x61, 0x62, 0x6c, 0x65, 0x64, 0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03,
+	0x28, 0x09, 0x52, 0x0d, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x73, 0x22, 0x6d, 0x0a, 0x1a, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64, 0x12, 0x16,
+	0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
+	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65,
+	0x22, 0x54, 0x0a, 0x1b, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64, 0x12, 0x16,
+	0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f,
+	0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69,
+	0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -271,16 +291,15 @@ var file_ionscale_v1_routes_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
 var file_ionscale_v1_routes_proto_goTypes = []interface{}{
 	(*GetMachineRoutesRequest)(nil),     // 0: ionscale.v1.GetMachineRoutesRequest
 	(*GetMachineRoutesResponse)(nil),    // 1: ionscale.v1.GetMachineRoutesResponse
-	(*SetMachineRoutesRequest)(nil),  // 2: ionscale.v1.SetMachineRoutesRequest
-	(*RoutableIP)(nil),               // 3: ionscale.v1.RoutableIP
+	(*EnableMachineRoutesRequest)(nil),  // 2: ionscale.v1.EnableMachineRoutesRequest
+	(*DisableMachineRoutesRequest)(nil), // 3: ionscale.v1.DisableMachineRoutesRequest
 }
 var file_ionscale_v1_routes_proto_depIdxs = []int32{
-	3, // 0: ionscale.v1.GetMachineRoutesResponse.routes:type_name -> ionscale.v1.RoutableIP
-	1, // [1:1] is the sub-list for method output_type
-	1, // [1:1] is the sub-list for method input_type
-	1, // [1:1] is the sub-list for extension type_name
-	1, // [1:1] is the sub-list for extension extendee
-	0, // [0:1] is the sub-list for field type_name
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
 }

 func init() { file_ionscale_v1_routes_proto_init() }
@@ -314,7 +333,7 @@ func file_ionscale_v1_routes_proto_init() {
 			}
 		}
 		file_ionscale_v1_routes_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SetMachineRoutesRequest); i {
+			switch v := v.(*EnableMachineRoutesRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -326,7 +345,7 @@ func file_ionscale_v1_routes_proto_init() {
 			}
 		}
 		file_ionscale_v1_routes_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*RoutableIP); i {
+			switch v := v.(*DisableMachineRoutesRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -54,5 +54,6 @@ service IonscaleService {
  rpc DeleteMachine(DeleteMachineRequest) returns (DeleteMachineResponse) {}
  rpc SetMachineKeyExpiry(SetMachineKeyExpiryRequest) returns (SetMachineKeyExpiryResponse) {}
  rpc GetMachineRoutes (GetMachineRoutesRequest) returns (GetMachineRoutesResponse) {}
-  rpc SetMachineRoutes (SetMachineRoutesRequest) returns (GetMachineRoutesResponse) {}
+  rpc EnableMachineRoutes (EnableMachineRoutesRequest) returns (GetMachineRoutesResponse) {}
+  rpc DisableMachineRoutes (DisableMachineRoutesRequest) returns (GetMachineRoutesResponse) {}
 }
@@ -60,6 +60,8 @@ message Machine {
  google.protobuf.Timestamp created_at = 14;
  google.protobuf.Timestamp expires_at = 15;
  bool key_expiry_disabled = 16;
+  repeated string enabled_routes = 17;
+  repeated string advertised_routes = 18;
 }

 message ClientConnectivity {
@@ -8,15 +8,17 @@ message GetMachineRoutesRequest {
 }

 message GetMachineRoutesResponse {
-  repeated RoutableIP routes = 1;
+  repeated string advertised_routes = 1;
+  repeated string enabled_routes = 2;
 }

-message SetMachineRoutesRequest {
+message EnableMachineRoutesRequest {
  uint64 machine_id = 1;
-  repeated string allowed_ips = 2;
+  repeated string routes = 2;
+  bool replace = 3;
 }

-message RoutableIP {
-  string advertised = 1;
-  bool allowed = 2;
+message DisableMachineRoutesRequest {
+  uint64 machine_id = 1;
+  repeated string routes = 2;
 }