diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 4acda15b..e7acf1fa 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -23,7 +23,7 @@ use PVE::Storage;
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::RESTHandler;
 use PVE::ReplicationConfig;
-use PVE::GuestHelpers qw(assert_tag_permissions check_vnet_access);
+use PVE::GuestHelpers qw(assert_tag_permissions);
 use PVE::QemuConfig;
 use PVE::QemuServer;
 use PVE::QemuServer::Cloudinit;
@@ -601,22 +601,6 @@ my $check_vm_create_usb_perm = sub {
     return 1;
 };
 
-my $check_bridge_access = sub {
-    my ($rpcenv, $authuser, $param) = @_;
-
-    return 1 if $authuser eq 'root@pam';
-
-    foreach my $opt (keys %{$param}) {
-	next if $opt !~ m/^net\d+$/;
-	my $net = PVE::QemuServer::parse_net($param->{$opt});
-	my $bridge = $net->{bridge};
-	my $tag = $net->{tag};
-	my $trunks = $net->{trunks};
-	check_vnet_access($rpcenv, $authuser, $bridge, $tag, $trunks);
-    }
-    return 1;
-};
-
 my $check_vm_modify_config_perm = sub {
     my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
 
@@ -884,7 +868,7 @@ __PACKAGE__->register_method({
 
 		my $vzdump_conf = PVE::Storage::extract_vzdump_config($storecfg, $archive);
 		my $backup_conf = PVE::QemuServer::parse_vm_config("restore/qemu-server/$vmid.conf", $vzdump_conf, 1);
-		&$check_bridge_access($rpcenv, $authuser, $backup_conf);
+		PVE::QemuServer::check_bridge_access($rpcenv, $authuser, $backup_conf);
 
 		$archive = $parse_restore_archive->($storecfg, $archive);
 	    }
@@ -899,7 +883,7 @@ __PACKAGE__->register_method({
 
 	    &$check_vm_create_serial_perm($rpcenv, $authuser, $vmid, $pool, $param);
 	    &$check_vm_create_usb_perm($rpcenv, $authuser, $vmid, $pool, $param);
-	    &$check_bridge_access($rpcenv, $authuser, $param);
+	    PVE::QemuServer::check_bridge_access->($rpcenv, $authuser, $param);
 	    &$check_cpu_model_access($rpcenv, $authuser, $param);
 
 	    $check_drive_param->($param, $storecfg);
@@ -1619,7 +1603,7 @@ my $update_vm_api  = sub {
 
     &$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param);
 
-    &$check_bridge_access($rpcenv, $authuser, $param);
+    PVE::QemuServer::check_bridge_access($rpcenv, $authuser, $param);
 
     my $updatefn =  sub {
 
@@ -3532,7 +3516,7 @@ __PACKAGE__->register_method({
 
 	    my $sharedvm = &$check_storage_access_clone($rpcenv, $authuser, $storecfg, $oldconf, $storage);
 
-	    &$check_bridge_access($rpcenv, $authuser, $oldconf);
+	    PVE::QemuServer::check_bridge_access($rpcenv, $authuser, $oldconf);
 
 	    die "can't clone VM to node '$target' (VM uses local storage)\n"
 		if $target && !$sharedvm;
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index cd371e11..df0e3bb3 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -6513,6 +6513,20 @@ sub vm_sendkey {
     });
 }
 
+sub check_bridge_access {
+    my ($rpcenv, $authuser, $conf) = @_;
+
+    return 1 if $authuser eq 'root@pam';
+
+    for my $opt (sort keys $conf->%*) {
+	next if $opt !~ m/^net\d+$/;
+	my $net = parse_net($conf->{$opt});
+	my ($bridge, $tag, $trunks) = $net->@{'bridge', 'tag', 'trunks'};
+	PVE::GuestHelpers::check_vnet_access($rpcenv, $authuser, $bridge, $tag, $trunks);
+    }
+    return 1;
+};
+
 # vzdump restore implementaion
 
 sub tar_archive_read_firstfile {