diff --git a/backend/app/api/interfaces.py b/backend/app/api/interfaces.py
new file mode 100644
index 0000000..c37ae1e
--- /dev/null
+++ b/backend/app/api/interfaces.py
@@ -0,0 +1,64 @@
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+from app import models, schemas
+from app.auth import get_current_user
+from app.database import get_db
+
+router = APIRouter()
+
+
+def _owner_config(config_id: int, db: Session, user: models.User) -> models.Config:
+    config = db.query(models.Config).filter(
+        models.Config.id == config_id, models.Config.owner_id == user.id
+    ).first()
+    if not config:
+        raise HTTPException(status_code=404, detail="Config not found")
+    return config
+
+
+@router.get("/{config_id}/interfaces", response_model=list[schemas.InterfaceOut])
+def list_interfaces(config_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    return db.query(models.Interface).filter(models.Interface.config_id == config_id).all()
+
+
+@router.post("/{config_id}/interfaces", response_model=schemas.InterfaceOut, status_code=201)
+def create_interface(config_id: int, body: schemas.InterfaceCreate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    iface = models.Interface(**body.model_dump(), config_id=config_id)
+    db.add(iface)
+    db.commit()
+    db.refresh(iface)
+    return iface
+
+
+@router.get("/{config_id}/interfaces/{interface_id}", response_model=schemas.InterfaceOut)
+def get_interface(config_id: int, interface_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    iface = db.query(models.Interface).filter(models.Interface.id == interface_id, models.Interface.config_id == config_id).first()
+    if not iface:
+        raise HTTPException(status_code=404, detail="Interface not found")
+    return iface
+
+
+@router.put("/{config_id}/interfaces/{interface_id}", response_model=schemas.InterfaceOut)
+def update_interface(config_id: int, interface_id: int, body: schemas.InterfaceUpdate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    iface = db.query(models.Interface).filter(models.Interface.id == interface_id, models.Interface.config_id == config_id).first()
+    if not iface:
+        raise HTTPException(status_code=404, detail="Interface not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(iface, field, value)
+    db.commit()
+    db.refresh(iface)
+    return iface
+
+
+@router.delete("/{config_id}/interfaces/{interface_id}", status_code=204)
+def delete_interface(config_id: int, interface_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    iface = db.query(models.Interface).filter(models.Interface.id == interface_id, models.Interface.config_id == config_id).first()
+    if not iface:
+        raise HTTPException(status_code=404, detail="Interface not found")
+    db.delete(iface)
+    db.commit()
diff --git a/backend/app/api/masq.py b/backend/app/api/masq.py
new file mode 100644
index 0000000..76835b3
--- /dev/null
+++ b/backend/app/api/masq.py
@@ -0,0 +1,64 @@
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+from app import models, schemas
+from app.auth import get_current_user
+from app.database import get_db
+
+router = APIRouter()
+
+
+def _owner_config(config_id: int, db: Session, user: models.User) -> models.Config:
+    config = db.query(models.Config).filter(
+        models.Config.id == config_id, models.Config.owner_id == user.id
+    ).first()
+    if not config:
+        raise HTTPException(status_code=404, detail="Config not found")
+    return config
+
+
+@router.get("/{config_id}/masq", response_model=list[schemas.MasqOut])
+def list_masq(config_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    return db.query(models.Masq).filter(models.Masq.config_id == config_id).all()
+
+
+@router.post("/{config_id}/masq", response_model=schemas.MasqOut, status_code=201)
+def create_masq(config_id: int, body: schemas.MasqCreate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    masq = models.Masq(**body.model_dump(), config_id=config_id)
+    db.add(masq)
+    db.commit()
+    db.refresh(masq)
+    return masq
+
+
+@router.get("/{config_id}/masq/{masq_id}", response_model=schemas.MasqOut)
+def get_masq(config_id: int, masq_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    masq = db.query(models.Masq).filter(models.Masq.id == masq_id, models.Masq.config_id == config_id).first()
+    if not masq:
+        raise HTTPException(status_code=404, detail="Masq entry not found")
+    return masq
+
+
+@router.put("/{config_id}/masq/{masq_id}", response_model=schemas.MasqOut)
+def update_masq(config_id: int, masq_id: int, body: schemas.MasqUpdate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    masq = db.query(models.Masq).filter(models.Masq.id == masq_id, models.Masq.config_id == config_id).first()
+    if not masq:
+        raise HTTPException(status_code=404, detail="Masq entry not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(masq, field, value)
+    db.commit()
+    db.refresh(masq)
+    return masq
+
+
+@router.delete("/{config_id}/masq/{masq_id}", status_code=204)
+def delete_masq(config_id: int, masq_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    masq = db.query(models.Masq).filter(models.Masq.id == masq_id, models.Masq.config_id == config_id).first()
+    if not masq:
+        raise HTTPException(status_code=404, detail="Masq entry not found")
+    db.delete(masq)
+    db.commit()
diff --git a/backend/app/api/policies.py b/backend/app/api/policies.py
new file mode 100644
index 0000000..1b70d19
--- /dev/null
+++ b/backend/app/api/policies.py
@@ -0,0 +1,64 @@
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+from app import models, schemas
+from app.auth import get_current_user
+from app.database import get_db
+
+router = APIRouter()
+
+
+def _owner_config(config_id: int, db: Session, user: models.User) -> models.Config:
+    config = db.query(models.Config).filter(
+        models.Config.id == config_id, models.Config.owner_id == user.id
+    ).first()
+    if not config:
+        raise HTTPException(status_code=404, detail="Config not found")
+    return config
+
+
+@router.get("/{config_id}/policies", response_model=list[schemas.PolicyOut])
+def list_policies(config_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    return db.query(models.Policy).filter(models.Policy.config_id == config_id).order_by(models.Policy.position).all()
+
+
+@router.post("/{config_id}/policies", response_model=schemas.PolicyOut, status_code=201)
+def create_policy(config_id: int, body: schemas.PolicyCreate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    policy = models.Policy(**body.model_dump(), config_id=config_id)
+    db.add(policy)
+    db.commit()
+    db.refresh(policy)
+    return policy
+
+
+@router.get("/{config_id}/policies/{policy_id}", response_model=schemas.PolicyOut)
+def get_policy(config_id: int, policy_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    policy = db.query(models.Policy).filter(models.Policy.id == policy_id, models.Policy.config_id == config_id).first()
+    if not policy:
+        raise HTTPException(status_code=404, detail="Policy not found")
+    return policy
+
+
+@router.put("/{config_id}/policies/{policy_id}", response_model=schemas.PolicyOut)
+def update_policy(config_id: int, policy_id: int, body: schemas.PolicyUpdate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    policy = db.query(models.Policy).filter(models.Policy.id == policy_id, models.Policy.config_id == config_id).first()
+    if not policy:
+        raise HTTPException(status_code=404, detail="Policy not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(policy, field, value)
+    db.commit()
+    db.refresh(policy)
+    return policy
+
+
+@router.delete("/{config_id}/policies/{policy_id}", status_code=204)
+def delete_policy(config_id: int, policy_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    policy = db.query(models.Policy).filter(models.Policy.id == policy_id, models.Policy.config_id == config_id).first()
+    if not policy:
+        raise HTTPException(status_code=404, detail="Policy not found")
+    db.delete(policy)
+    db.commit()
diff --git a/backend/app/api/rules.py b/backend/app/api/rules.py
new file mode 100644
index 0000000..20c7d7a
--- /dev/null
+++ b/backend/app/api/rules.py
@@ -0,0 +1,64 @@
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+from app import models, schemas
+from app.auth import get_current_user
+from app.database import get_db
+
+router = APIRouter()
+
+
+def _owner_config(config_id: int, db: Session, user: models.User) -> models.Config:
+    config = db.query(models.Config).filter(
+        models.Config.id == config_id, models.Config.owner_id == user.id
+    ).first()
+    if not config:
+        raise HTTPException(status_code=404, detail="Config not found")
+    return config
+
+
+@router.get("/{config_id}/rules", response_model=list[schemas.RuleOut])
+def list_rules(config_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    return db.query(models.Rule).filter(models.Rule.config_id == config_id).order_by(models.Rule.position).all()
+
+
+@router.post("/{config_id}/rules", response_model=schemas.RuleOut, status_code=201)
+def create_rule(config_id: int, body: schemas.RuleCreate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    rule = models.Rule(**body.model_dump(), config_id=config_id)
+    db.add(rule)
+    db.commit()
+    db.refresh(rule)
+    return rule
+
+
+@router.get("/{config_id}/rules/{rule_id}", response_model=schemas.RuleOut)
+def get_rule(config_id: int, rule_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    rule = db.query(models.Rule).filter(models.Rule.id == rule_id, models.Rule.config_id == config_id).first()
+    if not rule:
+        raise HTTPException(status_code=404, detail="Rule not found")
+    return rule
+
+
+@router.put("/{config_id}/rules/{rule_id}", response_model=schemas.RuleOut)
+def update_rule(config_id: int, rule_id: int, body: schemas.RuleUpdate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    rule = db.query(models.Rule).filter(models.Rule.id == rule_id, models.Rule.config_id == config_id).first()
+    if not rule:
+        raise HTTPException(status_code=404, detail="Rule not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(rule, field, value)
+    db.commit()
+    db.refresh(rule)
+    return rule
+
+
+@router.delete("/{config_id}/rules/{rule_id}", status_code=204)
+def delete_rule(config_id: int, rule_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    rule = db.query(models.Rule).filter(models.Rule.id == rule_id, models.Rule.config_id == config_id).first()
+    if not rule:
+        raise HTTPException(status_code=404, detail="Rule not found")
+    db.delete(rule)
+    db.commit()
diff --git a/backend/app/api/zones.py b/backend/app/api/zones.py
new file mode 100644
index 0000000..c4626f5
--- /dev/null
+++ b/backend/app/api/zones.py
@@ -0,0 +1,64 @@
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+from app import models, schemas
+from app.auth import get_current_user
+from app.database import get_db
+
+router = APIRouter()
+
+
+def _owner_config(config_id: int, db: Session, user: models.User) -> models.Config:
+    config = db.query(models.Config).filter(
+        models.Config.id == config_id, models.Config.owner_id == user.id
+    ).first()
+    if not config:
+        raise HTTPException(status_code=404, detail="Config not found")
+    return config
+
+
+@router.get("/{config_id}/zones", response_model=list[schemas.ZoneOut])
+def list_zones(config_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    return db.query(models.Zone).filter(models.Zone.config_id == config_id).all()
+
+
+@router.post("/{config_id}/zones", response_model=schemas.ZoneOut, status_code=201)
+def create_zone(config_id: int, body: schemas.ZoneCreate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    zone = models.Zone(**body.model_dump(), config_id=config_id)
+    db.add(zone)
+    db.commit()
+    db.refresh(zone)
+    return zone
+
+
+@router.get("/{config_id}/zones/{zone_id}", response_model=schemas.ZoneOut)
+def get_zone(config_id: int, zone_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    zone = db.query(models.Zone).filter(models.Zone.id == zone_id, models.Zone.config_id == config_id).first()
+    if not zone:
+        raise HTTPException(status_code=404, detail="Zone not found")
+    return zone
+
+
+@router.put("/{config_id}/zones/{zone_id}", response_model=schemas.ZoneOut)
+def update_zone(config_id: int, zone_id: int, body: schemas.ZoneUpdate, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    zone = db.query(models.Zone).filter(models.Zone.id == zone_id, models.Zone.config_id == config_id).first()
+    if not zone:
+        raise HTTPException(status_code=404, detail="Zone not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(zone, field, value)
+    db.commit()
+    db.refresh(zone)
+    return zone
+
+
+@router.delete("/{config_id}/zones/{zone_id}", status_code=204)
+def delete_zone(config_id: int, zone_id: int, db: Session = Depends(get_db), user: models.User = Depends(get_current_user)):
+    _owner_config(config_id, db, user)
+    zone = db.query(models.Zone).filter(models.Zone.id == zone_id, models.Zone.config_id == config_id).first()
+    if not zone:
+        raise HTTPException(status_code=404, detail="Zone not found")
+    db.delete(zone)
+    db.commit()