diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/AttachVnfTemplateCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/AttachVnfTemplateCmd.java
new file mode 100644
index 000000000000..8cb389ca6b8b
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/AttachVnfTemplateCmd.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.api.command.user.vnf;
+
+import org.apache.cloudstack.api.*;
+import org.apache.cloudstack.api.response.*;
+import javax.inject.Inject;
+
+@APICommand(name="attachVnfTemplate", responseObject=SuccessResponse.class,
+        description="Bind an existing VM as the VNF for the network")
+public class AttachVnfTemplateCmd extends BaseAsyncCmd {
+    @Parameter(name="networkid", type=CommandType.UUID, entityType=NetworkResponse.class, required=true) private Long networkId;
+    @Parameter(name="vmid", type=CommandType.UUID, entityType=UserVmResponse.class, required=true) private Long vmId;
+
+    @Inject private org.apache.cloudstack.vnf.VnfNetworkService vnfSvc;
+    @Override public void execute() {
+        vnfSvc.attachVnfVm(networkId, vmId, getEntityOwnerId());
+        setResponseObject(new SuccessResponse(getCommandName()));
+    }
+    @Override public String getCommandName(){return "attachvnftemplateresponse";}
+    @Override public long getEntityOwnerId(){return CallContext.current().getCallingAccountId();}
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/CreateVnfNetworkCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/CreateVnfNetworkCmd.java
new file mode 100644
index 000000000000..1a779d9020c3
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/CreateVnfNetworkCmd.java
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.api.command.user.vnf;
+
+import org.apache.cloudstack.api.*;
+import org.apache.cloudstack.api.response.*;
+import javax.inject.Inject;
+
+@APICommand(name = "createVnfNetwork",
+        description = "Create a VNF network (deploy VR broker + VNF VM)",
+        responseObject = CreateNetworkResponse.class)
+public class CreateVnfNetworkCmd extends BaseAsyncCreateCmd {
+    @Parameter(name="name", type=CommandType.STRING, required=true) private String name;
+    @Parameter(name="displaytext", type=CommandType.STRING) private String displayText;
+    @Parameter(name="zoneid", type=CommandType.UUID, entityType=ZoneResponse.class, required=true) private Long zoneId;
+    @Parameter(name="vnftemplateid", type=CommandType.UUID, entityType=TemplateResponse.class, required=true) private Long vnfTemplateId;
+    @Parameter(name="servicehelpers", type=CommandType.STRING) private String serviceHelpers;
+    @Parameter(name="dictionaryyaml", type=CommandType.STRING) private String dictionaryYaml;
+
+    @Inject private org.apache.cloudstack.vnf.VnfNetworkService vnfSvc;
+
+    @Override public void execute() {
+        CreateNetworkResponse resp = vnfSvc.createVnfNetwork(this);
+        setResponseObject(resp); resp.setResponseName(getCommandName());
+    }
+    @Override public String getCommandName() { return "createvnfnetworkresponse"; }
+    @Override public long getEntityOwnerId() { return CallContext.current().getCallingAccountId(); }
+
+    // getters...
+    public String getName(){return name;} public String getDisplayText(){return displayText;}
+    public Long getZoneId(){return zoneId;} public Long getVnfTemplateId(){return vnfTemplateId;}
+    public String getServiceHelpers(){return serviceHelpers;} public String getDictionaryYaml(){return dictionaryYaml;}
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/GetVnfNetworkStatusCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/GetVnfNetworkStatusCmd.java
new file mode 100644
index 000000000000..9a5537b5708e
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/GetVnfNetworkStatusCmd.java
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.api.command.user.vnf;
+
+import org.apache.cloudstack.api.*;
+import org.apache.cloudstack.api.response.*;
+import javax.inject.Inject;
+
+@APICommand(name="getVnfNetworkStatus",
+        description="Return broker/VNF/dictionary status for a VNF network",
+        responseObject=org.apache.cloudstack.api.response.SuccessResponse.class)
+public class GetVnfNetworkStatusCmd extends BaseCmd {
+    @Parameter(name="networkid", type=CommandType.UUID, entityType=NetworkResponse.class, required=true) private Long networkId;
+    @Inject private org.apache.cloudstack.vnf.VnfNetworkService vnfSvc;
+    @Override public void execute() {
+        setResponseObject(vnfSvc.getStatus(networkId));
+    }
+    @Override public String getCommandName(){ return "getvnfnetworkstatusresponse"; }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/UploadVnfDictionaryCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/UploadVnfDictionaryCmd.java
new file mode 100644
index 000000000000..34370d41044f
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/vnf/UploadVnfDictionaryCmd.java
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.api.command.user.vnf;
+
+import org.apache.cloudstack.api.*;
+import org.apache.cloudstack.api.response.*;
+import javax.inject.Inject;
+
+@APICommand(name="uploadVnfDictionary", responseObject=SuccessResponse.class,
+        description="Upload/replace a dictionary YAML for a VNF network")
+public class UploadVnfDictionaryCmd extends BaseAsyncCmd {
+    @Parameter(name="networkid", type=CommandType.UUID, entityType=NetworkResponse.class, required=true) private Long networkId;
+    @Parameter(name="name", type=CommandType.STRING) private String name;
+    @Parameter(name="yaml", type=CommandType.STRING, required=true) private String yaml;
+
+    @Inject private org.apache.cloudstack.vnf.VnfNetworkService vnfSvc;
+
+    @Override public void execute() {
+        vnfSvc.uploadDictionary(networkId, name, yaml, getEntityOwnerId());
+        setResponseObject(new SuccessResponse(getCommandName()));
+    }
+    @Override public String getCommandName() { return "uploadvnfdictionaryresponse"; }
+    @Override public long getEntityOwnerId() { return CallContext.current().getCallingAccountId(); }
+}
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42100to42200/42110-vnf-network.xml b/engine/schema/src/main/resources/META-INF/db/schema-42100to42200/42110-vnf-network.xml
new file mode 100644
index 000000000000..2f25b3f0f4f9
--- /dev/null
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42100to42200/42110-vnf-network.xml
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+                   http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.8.xsd">
+
+  <changeSet id="vnf-dictionary" author="wei.zhou">
+    <createTable tableName="vnf_dictionary">
+      <column name="id" type="BIGINT" autoIncrement="true">
+        <constraints primaryKey="true" nullable="false"/>
+      </column>
+      <column name="network_id" type="BIGINT"><constraints nullable="false"/></column>
+      <column name="name" type="VARCHAR(128)"/>
+      <column name="version" type="INT" defaultValueNumeric="1"/>
+      <column name="yaml_blob" type="LONGTEXT"/>
+      <column name="checksum" type="CHAR(64)"/>
+      <column name="created" type="DATETIME"/>
+      <column name="created_by" type="VARCHAR(128)"/>
+    </createTable>
+    <createIndex indexName="idx_vnfdict_network" tableName="vnf_dictionary">
+      <column name="network_id"/>
+    </createIndex>
+  </changeSet>
+
+  <changeSet id="vnf-network-binding" author="wei.zhou">
+    <createTable tableName="vnf_network_binding">
+      <column name="network_id" type="BIGINT">
+        <constraints primaryKey="true" nullable="false"/>
+      </column>
+      <column name="vnf_vm_id" type="BIGINT"/>
+      <column name="broker_state" type="VARCHAR(16)"/>
+      <column name="helpers" type="INT" defaultValueNumeric="7"/>
+      <column name="updated" type="DATETIME"/>
+    </createTable>
+  </changeSet>
+
+  <changeSet id="vnf-rule-map" author="wei.zhou">
+    <createTable tableName="vnf_rule_map">
+      <column name="id" type="BIGINT" autoIncrement="true">
+        <constraints primaryKey="true" nullable="false"/>
+      </column>
+      <column name="network_id" type="BIGINT"><constraints nullable="false"/></column>
+      <column name="acs_rule_uuid" type="CHAR(36)"><constraints nullable="false"/></column>
+      <column name="vnf_rule_id" type="VARCHAR(128)"/>
+      <column name="service" type="VARCHAR(32)"/>
+      <column name="created" type="DATETIME"/>
+      <column name="updated" type="DATETIME"/>
+    </createTable>
+    <createIndex indexName="idx_vrm_network_service" tableName="vnf_rule_map">
+      <column name="network_id"/>
+      <column name="service"/>
+    </createIndex>
+    <createIndex indexName="idx_vrm_vnfid" tableName="vnf_rule_map">
+      <column name="vnf_rule_id"/>
+    </createIndex>
+    <addUniqueConstraint tableName="vnf_rule_map" columnNames="network_id,acs_rule_uuid"
+                         constraintName="uc_vrm_network_ruleuuid"/>
+  </changeSet>
+</databaseChangeLog>
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42100to42200/upgrade.xml b/engine/schema/src/main/resources/META-INF/db/schema-42100to42200/upgrade.xml
new file mode 100644
index 000000000000..6950977fb4ed
--- /dev/null
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42100to42200/upgrade.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+                   http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.8.xsd">
+  <include file="schema-42100to42200/42110-vnf-network.xml"/>
+</databaseChangeLog>
diff --git a/server/src/main/java/org/apache/cloudstack/vnf/VnfNetworkService.java b/server/src/main/java/org/apache/cloudstack/vnf/VnfNetworkService.java
new file mode 100644
index 000000000000..850f462453a1
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/vnf/VnfNetworkService.java
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.vnf;
+
+import org.apache.cloudstack.api.command.user.vnf.*;
+import org.apache.cloudstack.api.response.CreateNetworkResponse;
+
+public interface VnfNetworkService {
+    CreateNetworkResponse createVnfNetwork(CreateVnfNetworkCmd cmd);
+    void uploadDictionary(long networkId, String name, String yaml, long ownerId);
+    void attachVnfVm(long networkId, long vmId, long ownerId);
+    org.apache.cloudstack.api.response.SuccessResponse getStatus(long networkId);
+}
diff --git a/server/src/main/java/org/apache/cloudstack/vnf/VnfNetworkServiceImpl.java b/server/src/main/java/org/apache/cloudstack/vnf/VnfNetworkServiceImpl.java
new file mode 100644
index 000000000000..45f96baa170c
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/vnf/VnfNetworkServiceImpl.java
@@ -0,0 +1,58 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.vnf;
+
+import com.cloud.network.Network;
+import com.cloud.user.Account;
+import org.apache.cloudstack.api.response.CreateNetworkResponse;
+import javax.inject.Inject;
+import javax.ejb.Local;
+
+@Local(value=VnfNetworkService.class)
+public class VnfNetworkServiceImpl implements VnfNetworkService {
+
+    @Inject private dao.VnfDictionaryDao dictDao;
+    @Inject private dao.VnfNetworkBindingDao bindingDao;
+    @Inject private dao.VnfRuleMapDao ruleDao;
+    @Inject private VnfTemplateRenderer renderer;
+    @Inject private VnfTransport transport;
+
+    @Override
+    public CreateNetworkResponse createVnfNetwork(org.apache.cloudstack.api.command.user.vnf.CreateVnfNetworkCmd cmd) {
+        // TODO: create network record (like Isolated), deploy VR broker + VNF VM from template,
+        // persist binding + optional dictionary, return response with IDs
+        return new CreateNetworkResponse();
+    }
+
+    @Override
+    public void uploadDictionary(long networkId, String name, String yaml, long ownerId) {
+        // TODO: validate YAML placeholders; persist versioned dictionary
+    }
+
+    @Override
+    public void attachVnfVm(long networkId, long vmId, long ownerId) {
+        // TODO: bind a VM as the VNF; update egress allowlist for broker
+    }
+
+    @Override
+    public org.apache.cloudstack.api.response.SuccessResponse getStatus(long networkId) {
+        // TODO: query broker health + VNF reachability + dict version
+        return new org.apache.cloudstack.api.response.SuccessResponse("getvnfnetworkstatus");
+    }
+}
diff --git a/server/src/main/java/org/apache/cloudstack/vnf/VnfTemplateRenderer.java b/server/src/main/java/org/apache/cloudstack/vnf/VnfTemplateRenderer.java
new file mode 100644
index 000000000000..dd0e4e6c96bc
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/vnf/VnfTemplateRenderer.java
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.vnf;
+
+import java.util.Map;
+
+public class VnfTemplateRenderer {
+    public RenderedRequest render(Dictionary dict, String key, Map<String,Object> inputs, Map<String,String> injectedHeaders) {
+        // TODO: SnakeYAML load -> map; replace ${...}; build method/path/body/headers; return RenderedRequest
+        return new RenderedRequest("POST", "/api/v2/firewall/rule", Map.of(), injectedHeaders);
+    }
+
+    public static class Dictionary { public Map<String,Object> root; }
+    public static class RenderedRequest {
+        public final String method, path; public final Object body; public final Map<String,String> headers;
+        public RenderedRequest(String m, String p, Object b, Map<String,String> h){ method=m; path=p; body=b; headers=h; }
+    }
+}
diff --git a/server/src/main/java/org/apache/cloudstack/vnf/VnfTransport.java b/server/src/main/java/org/apache/cloudstack/vnf/VnfTransport.java
new file mode 100644
index 000000000000..49c428223cb2
--- /dev/null
+++ b/server/src/main/java/org/apache/cloudstack/vnf/VnfTransport.java
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cloudstack.vnf;
+
+public class VnfTransport {
+    public static class VnfResponse { public final int status; public final String body;
+        public VnfResponse(int s, String b){ status=s; body=b; } }
+
+    public VnfResponse forward(long networkId, String vnfIp, int port,
+                               VnfTemplateRenderer.RenderedRequest req, String idemKey) {
+        // TODO: POST https://<vr>:8443/v1/forward with mTLS + JWT; return status/body
+        return new VnfResponse(200, "{}");
+    }
+}