From a0801f92c3c96b328388e453a3a15ef1d79e7def Mon Sep 17 00:00:00 2001
From: Matt White <matt.white@microsoft.com>
Date: Wed, 27 Apr 2022 11:18:34 +0100
Subject: [PATCH]  Update ready for release v2.0.0 (#349)

Updates to documentation for upcoming v2.0.0 release
---
 .../EnterpriseScaleLibraryTools.psd1          |   2 +-
 .../EnterpriseScaleLibraryTools.psm1          |   3 +-
 README.md                                     | 146 ++++---
 docs/wiki/Home.md                             |   8 +-
 docs/wiki/Troubleshooting.md                  |   2 +-
 ...ectivity-Resources-With-Custom-Settings.md |   6 +-
 ...Examples]-Deploy-Connectivity-Resources.md |   4 +-
 ...]-Deploy-Custom-Landing-Zone-Archetypes.md |   8 +-
 ...[Examples]-Deploy-Default-Configuration.md |   2 +-
 ...es]-Deploy-Demo-Landing-Zone-Archetypes.md |   6 +-
 ...Identity-Resources-With-Custom-Settings.md |   6 +-
 .../[Examples]-Deploy-Identity-Resources.md   |   2 +-
 ...nagement-Resources-With-Custom-Settings.md |   6 +-
 .../[Examples]-Deploy-Management-Resources.md |   2 +-
 .../[Examples]-Deploy-Using-Module-Nesting.md |  12 +-
 ...]-Expand-built-in-archetype-definitions.md |   2 +-
 ...mples]-Override-Module-Role-Assignments.md |   6 +-
 .../[User-Guide]-Connectivity-Resources.md    |  37 +-
 docs/wiki/[User-Guide]-Core-Resources.md      |   4 +-
 docs/wiki/[User-Guide]-Getting-Started.md     |   2 +-
 docs/wiki/[User-Guide]-Identity-Resources.md  |   4 +-
 .../wiki/[User-Guide]-Management-Resources.md |   5 +-
 docs/wiki/[User-Guide]-Module-Variables.md    |   2 +-
 .../[User-Guide]-Provider-Configuration.md    |  14 +-
 ...er-Guide]-Upgrade-from-v1.1.4-to-v2.0.0.md | 343 +++++++++++++++++
 ...ables]-configure_connectivity_resources.md | 355 ++++++++++++++++--
 docs/wiki/[Variables]-disable_telemetry.md    |   6 +-
 docs/wiki/_Sidebar.md                         |   4 +-
 locals.version.tf                             |   2 +-
 tests/README.md                               |   2 +-
 tests/opa/policy/readme.md                    |   4 +-
 tests/scripts/opa-values-generator.ps1        |   2 +-
 32 files changed, 837 insertions(+), 172 deletions(-)
 create mode 100644 docs/wiki/[User-Guide]-Upgrade-from-v1.1.4-to-v2.0.0.md

diff --git a/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psd1 b/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psd1
index 4cca2f5d8..bb7f852c6 100755
--- a/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psd1
+++ b/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psd1
@@ -32,7 +32,7 @@ CompanyName = 'krowlandson'
 Copyright = 'Copyright (c) 2020 Kevin Rowlandson. All rights reserved.'
 
 # Description of the functionality provided by this module
-Description = 'This module provides a set of custom classes and functions used for managing the template library in the Terraform Module for Cloud Adoption Framework Enterprise-scale.'
+Description = 'This module provides a set of custom classes and functions used for managing the template library in the Azure landing zones Terraform module.'
 
 # Minimum version of the PowerShell engine required by this module
 PowerShellVersion = '7.0'
diff --git a/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1 b/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1
index 45ac22ad2..a07bfbc1d 100755
--- a/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1
+++ b/.github/scripts/EnterpriseScaleLibraryTools/EnterpriseScaleLibraryTools.psm1
@@ -498,8 +498,7 @@ class ArmTemplateResource : ESLTBase {
         $this.apiVersion = [ProviderApiVersions]::GetLatestStableByType($ResourceType)
     }
 
-    # Update resource values as per requirements for Terraform Module
-    # for Cloud Adoption Framework Enterprise Scale
+    # Update resource values as per requirements for Azure landing zones Terraform module
     [Object] ToTemplateFile() {
         if ($this.type -eq "Microsoft.Authorization/policyAssignments") {
             $this.properties.scope = "`${current_scope_resource_id}"
diff --git a/README.md b/README.md
index 9798e33ec..54d36304f 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# Terraform Module for Cloud Adoption Framework Enterprise-scale
+# Azure landing zones Terraform module
 
 [![Build Status](https://dev.azure.com/mscet/CAE-ESTF/_apis/build/status/Tests/E2E?branchName=main)](https://dev.azure.com/mscet/CAE-ESTF/_build/latest?definitionId=26&branchName=main)
 ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Azure/terraform-azurerm-caf-enterprise-scale?style=flat&logo=github)
@@ -14,9 +14,10 @@ Detailed information about how to use, configure and extend this module can be f
 
 ## Overview
 
-The [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] provides an opinionated approach for deploying and managing the core platform capabilities of [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture] using Terraform.
+The [Azure landing zones Terraform module][terraform-registry-caf-enterprise-scale] is designed to accelerate deployment of the [Azure landing zones conceptual architecture][ESLZ-Architecture] using Terraform.
 
-Depending on selected options, this module can deploy different groups of resources as needed.
+Using a very simple initial configuration, the module will deploy the recommended core Management Group hierarchy, including the recommended governance baseline using Azure Policy.
+The default configuration can be easily extended to meet differing requirements, and includes the ability to deploy platform resources.
 
 This is currently split logically into the following capabilities:
 
@@ -31,9 +32,9 @@ The following sections outline the different resource types deployed and managed
 
 ### Core resources
 
-The core capability of this module deploys the foundations of the [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture], with a focus on the central resource hierarchy and governance:
+The core capability of this module deploys the foundations of the [Azure landing zones conceptual architecture][ESLZ-Architecture], with a focus on resource hierarchy and governance:
 
-![Enterprise-scale Core Landing Zones Architecture][TFAES-Overview]
+![Azure landing zones conceptual architecture][TFAES-Overview]
 
 The following resource types are deployed and managed by this module when using the core capabilities:
 
@@ -53,12 +54,12 @@ The exact number of resources created depends on the module configuration, but y
 
 ### Management resources
 
-From release `v0.2.0` onwards, the module includes new functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the current Subscription context.
+The module includes functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the Subscription context set by the `azurerm.management` provider alias.
 This brings the benefit of being able to manage the full lifecycle of these resources using Terraform, with native integration into the corresponding Policy Assignments to ensure full policy compliance.
 
-![Enterprise-scale Management Landing Zone Architecture][TFAES-Management]
+![Azure landing zones management architecture][TFAES-Management]
 
-The following resource types are deployed and managed by this module when the Management resources capabilities are enabled:
+The following resource types are deployed and managed by this module when the Management capabilities are enabled:
 
 |     | Azure Resource | Terraform Resource |
 | --- | -------------- | ------------------ |
@@ -72,16 +73,21 @@ Please refer to the [Deploy Management Resources][wiki_deploy_management_resourc
 
 ### Connectivity resources
 
-From release `v0.4.0` onwards, the module includes new functionality to enable deployment of [Network topology and connectivity][ESLZ-Connectivity] resources into the current Subscription context.
-This is currently limited to the Hub & Spoke network topology, but the addition of Virtual WAN capabilities is on our roadmap (date TBC).
+The module enables deployment of [Network topology and connectivity][ESLZ-Connectivity] resources into the Subscription context set by the `azurerm.connectivity` provider alias.
 
-![Enterprise-scale Connectivity Landing Zone Architecture][TFAES-Connectivity]
+![Azure landing zones connectivity architecture][TFAES-Connectivity]
+
+The module supports creating multiple hubs (one per specified location) in both a `Hub and Spoke` or `Virtual WAN` configuration.
+There are also additional supporting resources deployed for DDoS Protection and DNS zones.
+You can also create a combination of both networks.
+
+Each hub can be individually configured as needed.
 
 > **NOTE:** The module currently only configures the networking hub, and dependent resources for the `Connectivity` Subscription.
-> To ensure we achieve the right balance of managing resources via Terraform vs. Azure Policy, we are still working on how best to handle the creation of spoke Virtual Networks and Virtual Network Peering.
+> To ensure we achieve the right balance of managing resources via Terraform vs. Azure Policy, we are still working on how best to handle the creation of spoke Virtual Networks and Virtual Network Peering (for `Hub and Spoke` networks).
 > Improving this story is our next priority on the product roadmap.
 
-The following resource types are deployed and managed by this module when the Connectivity resources capabilities are enabled:
+The following resource types are deployed and managed by this module when the Connectivity capabilities are enabled:
 
 |     | Azure Resource | Terraform Resource |
 | --- | -------------- | ------------------ |
@@ -90,32 +96,42 @@ The following resource types are deployed and managed by this module when the Co
 | Subnets | [`Microsoft.Network/virtualNetworks/subnets`][arm_subnet] | [`azurerm_subnet`][azurerm_subnet] |
 | Virtual Network Gateways | [`Microsoft.Network/virtualNetworkGateways`][arm_virtual_network_gateway] | [`azurerm_virtual_network_gateway`][azurerm_virtual_network_gateway] |
 | Azure Firewalls | [`Microsoft.Network/azureFirewalls`][arm_firewall] | [`azurerm_firewall`][azurerm_firewall] |
+| Azure Firewall Policies | [`Microsoft.Network/firewallPolicies`][arm_firewall_policy] | [`azurerm_firewall_policy`][azurerm_firewall_policy] |
 | Public IP Addresses | [`Microsoft.Network/publicIPAddresses`][arm_public_ip] | [`azurerm_public_ip`][azurerm_public_ip] |
+| Virtual Network Peerings | [`Microsoft.Network/virtualNetworks/virtualNetworkPeerings`][arm_virtual_network_peering] | [`azurerm_virtual_network_peering`][azurerm_virtual_network_peering] |
+| Virtual WANs | [`Microsoft.Network/virtualWans`][arm_virtual_wan] | [`azurerm_virtual_wan`][azurerm_virtual_wan] |
+| Virtual Hubs | [`Microsoft.Network/virtualHubs`][arm_virtual_hub] | [`azurerm_virtual_hub`][azurerm_virtual_hub] |
+| Express Route Gateways | [`Microsoft.Network/expressRouteGateways`][arm_express_route_gateway] | [`azurerm_express_route_gateway`][azurerm_express_route_gateway] |
+| VPN Gateways | [`Microsoft.Network/vpnGateways`][arm_vpn_gateway] | [`azurerm_vpn_gateway`][azurerm_vpn_gateway] |
+| Azure Firewalls | [`Microsoft.Network/azureFirewalls`][arm_firewall] | [`azurerm_firewall`][azurerm_firewall] |
+| Azure Firewall Policies | [`Microsoft.Network/firewallPolicies`][arm_firewall_policy] | [`azurerm_firewall_policy`][azurerm_firewall_policy] |
+| Virtual Hub Connections | [`Microsoft.Network/virtualHubs/hubVirtualNetworkConnections`][arm_virtual_hub_connection] | [`azurerm_virtual_hub_connection`][azurerm_virtual_hub_connection] |
 | DDoS Protection Plans | [`Microsoft.Network/ddosProtectionPlans`][arm_ddos_protection_plan] | [`azurerm_network_ddos_protection_plan`][azurerm_network_ddos_protection_plan] |
-| DNS Zones (pending) | [`Microsoft.Network/dnsZones`][arm_dns_zone] | [`azurerm_dns_zone`][azurerm_dns_zone] |
-| Virtual Network Peerings (pending) | [`Microsoft.Network/virtualNetworks/virtualNetworkPeerings`][arm_virtual_network_peering] | [`azurerm_virtual_network_peering`][azurerm_virtual_network_peering] |
+| DNS Zones | [`Microsoft.Network/dnsZones`][arm_dns_zone] | [`azurerm_dns_zone`][azurerm_dns_zone] |
 
-Please refer to the [Deploy Connectivity Resources][wiki_deploy_connectivity_resources] page on our Wiki for more information about how to use this capability.
+Further guidance on how to deploy and configure `Hub and Spoke` networks can be found on the [Deploy Connectivity Resources][wiki_deploy_connectivity_resources] Wiki page.
+
+Further guidance on how to deploy and configure `Virtual WAN` networks will be added to the Wiki in the future.
 
 ### Identity resources
 
-From release `v0.4.0` onwards, the module includes new functionality to enable deployment of [Identity and access management][ESLZ-Identity] resources into the current Subscription context.
+The module enables deployment and configuration of Azure Policy to control governance over the [Identity and access management][ESLZ-Identity] Subscription.
 
-![Enterprise-scale Identity Landing Zone Architecture][TFAES-Identity]
+![Azure landing zones identity architecture][TFAES-Identity]
 
-No additional resources are deployed by this capability, however policy settings relating to the `Identity` Management Group can now be easily updated via the `configure_identity_resources` input variable.
+No additional resources are currently deployed by this capability, however policy settings relating to the `Identity` Management Group can be easily updated via the `configure_identity_resources` input variable.
 
 Please refer to the [Deploy Identity Resources][wiki_deploy_identity_resources] page on our Wiki for more information about how to use this capability.
 
 ## Terraform versions
 
-This module has been tested using Terraform `0.15.0` and AzureRM Provider `3.0.2` as a baseline, and various versions to up the latest at time of release.
+This module has been tested using Terraform `0.15.1` and AzureRM Provider `3.0.2` as a baseline, and various versions to up the latest at time of release.
 In some cases, individual versions of the AzureRM provider may cause errors.
 If this happens, we advise upgrading to the latest version and checking our [troubleshooting][wiki_troubleshooting] guide before [raising an issue](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues).
 
 ## Usage
 
-As a basic starting point, we recommend starting with the following configuration in your root module.
+We recommend starting with the following configuration in your root module to learn what resources are created by the module and how it works.
 
 This will deploy the core components only.
 
@@ -160,12 +176,12 @@ variable "root_name" {
   default = "Enterprise-Scale"
 }
 
-# Declare the Terraform Module for Cloud Adoption Framework
-# Enterprise-scale and provide a base configuration.
+# Declare the Azure landing zones Terraform module
+# and provide a base configuration.
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.3"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
@@ -208,60 +224,15 @@ For the latest examples, please refer to our [Examples][wiki_examples] guide on
   - [Override Module Role Assignments][wiki_override_module_role_assignments]
   - [Deploy Using Module Nesting][wiki_deploy_using_module_nesting]
 
-## Release Notes
-
-Release `v1.1.4` is a hotfix release to add a `azurerm` provider verison constraint of `< 3.0.0`.
-This is a workaround for the resource schema changes as reported in issue [#309](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/309).
-
-Release `v1.1.3` is a hotfix relating to support for using YAML with archetype extensions and exclusions.
-
-Release `v1.1.2` introduces the following changes:
-
-- Update module to provide full support for `templatefile()` functionality (Fixes #253)
-- Extend built-in template file variables for use with template files in module library (Fixes #255 and #207)
-
-Release `v1.1.1` introduces the following changes:
-
-- Update regex logic for `root_id` and `scope_id` input variables on `archetypes` child module (Fixes #241)
-- Add `requried_version` to Terraform configuration to ensure only supported version of Terraform is used
-- Add documentation to Wiki for the [configure_connectivity_resources](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BVariables%5D-configure_connectivity_resources) and [configure_management_resources](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BVariables%5D-configure_management_resources) input variables
+## Release notes
 
-No breaking changes identified.
+Please see the [releases][repo_releases] page for the latest module updates.
 
-Release `v1.1.0` introduces the following changes:
-
-- **BREAKING CHANGE**: Replaced `Deploy-ASC-Configuration` Policy Assignment with `Deploy-ASCDF-Config`, utilizing built-in policies and also adds support for [Microsoft Defender for open-source relational databases](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-databases-introduction).
-  - Fixing [Add Defender support for Open-source relational databases #131](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/131).
-  - **Note:** Will result in loss of policy compliance history.
-  - Consider making a copy of the removed policy templates to a custom `lib` folder and using the [archetype extension](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Expand-Built-in-Archetype-Definitions#to-enable-the-extension-function) capability if you wish to retain the old Assignment to keep policy compliance history.
-  - Requires an update to the `configure_management_resources` input variable:
-
-```hcl
-{
-  settings = {
-    # (1 unchanged element hidden)
-    security_center = {
-      # (1 unchanged element hidden)
-      config = {
-        # (7 unchanged elements hidden)
-        enable_defender_for_oss_databases  = true
-        # (4 unchanged elements hidden)
-      }
-    }
-  }
-  # (3 unchanged elements hidden)
-}
-```
-
-- Updates to Wiki documentation
-- Multiple bug fixes covering:
-  - Fix "managed parameters" for `Enable-DDoS-VNET` Policy Assignment at `landing-zones` scope (no issue logged)
-  - [Changing root_parent_id results in Management Groups not being deployed #190](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/190)
-  - [Bug Report: Private DNS zone link in setting.connectivity.tf #204](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/204)
-  - [Incorrect enforcementMode setting on Enable-DDoS-VNET Policy Assignment #216](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/216)
+## Upgrade guides
 
 For upgrade guides from previous versions, please refer to the following links:
 
+- [Upgrade from v1.1.4 to v2.0.0][wiki_upgrade_from_v1_1_4_to_v2_0_0]
 - [Upgrade from v0.4.0 to v1.0.0][wiki_upgrade_from_v0_4_0_to_v1_0_0]
 - [Upgrade from v0.3.3 to v0.4.0][wiki_upgrade_from_v0_3_3_to_v0_4_0]
 - [Upgrade from v0.1.2 to v0.2.0][wiki_upgrade_from_v0_1_2_to_v0_2_0]
@@ -269,9 +240,9 @@ For upgrade guides from previous versions, please refer to the following links:
 
 ## Telemetry
 
-> The following statement is applicable from release v1.2.0 onwards
+> The following statement is applicable from release v2.0.0 onwards
 
-When you deploy one or more modules in Azure Landing Zones Terraform repo, Microsoft can identify the installation of said module/s with the deployed Azure resources.
+When you deploy one or more modules using the Azure landing zones Terraform module, Microsoft can identify the installation of said module/s with the deployed Azure resources.
 Microsoft can correlate these resources used to support the software.
 Microsoft collects this information to provide the best experiences with their products and to operate their business.
 The telemetry is collected through customer usage attribution.
@@ -295,10 +266,10 @@ If you don't wish to send usage data to Microsoft, details on how to turn it off
  [//]: # (INSERT IMAGE REFERENCES BELOW)
  [//]: # (*****************************)
 
-[TFAES-Overview]:     https://raw.githubusercontent.com/wiki/Azure/terraform-azurerm-caf-enterprise-scale/media/terraform-caf-enterprise-scale-overview.png "Diagram showing the core Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
-[TFAES-Management]:   https://raw.githubusercontent.com/wiki/Azure/terraform-azurerm-caf-enterprise-scale/media/terraform-caf-enterprise-scale-management.png "Diagram showing the Management resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
-[TFAES-Connectivity]: https://raw.githubusercontent.com/wiki/Azure/terraform-azurerm-caf-enterprise-scale/media/terraform-caf-enterprise-scale-connectivity.png "Diagram showing the Connectivity resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
-[TFAES-Identity]:     https://raw.githubusercontent.com/wiki/Azure/terraform-azurerm-caf-enterprise-scale/media/terraform-caf-enterprise-scale-identity.png "Diagram showing the Identity resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Overview]:     https://raw.githubusercontent.com/wiki/Azure/terraform-azurerm-caf-enterprise-scale/media/terraform-caf-enterprise-scale-overview.png "Diagram showing the core Azure landing zones architecture deployed by this module."
+[TFAES-Management]:   https://raw.githubusercontent.com/wiki/Azure/terraform-azurerm-caf-enterprise-scale/media/terraform-caf-enterprise-scale-management.png "Diagram showing the Management resources for Azure landing zones architecture deployed by this module."
+[TFAES-Connectivity]: https://raw.githubusercontent.com/wiki/Azure/terraform-azurerm-caf-enterprise-scale/media/terraform-caf-enterprise-scale-connectivity.png "Diagram showing the Connectivity resources for Azure landing zones architecture deployed by this module."
+[TFAES-Identity]:     https://raw.githubusercontent.com/wiki/Azure/terraform-azurerm-caf-enterprise-scale/media/terraform-caf-enterprise-scale-identity.png "Diagram showing the Identity resources for Azure landing zones architecture deployed by this module."
 
  [//]: # (************************)
  [//]: # (INSERT LINK LABELS BELOW)
@@ -306,7 +277,7 @@ If you don't wish to send usage data to Microsoft, details on how to turn it off
 
 [msft-privacy-policy]: https://www.microsoft.com/trustcenter  "Microsoft's privacy policy"
 
-[terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale"
+[terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Azure landing zones Terraform module"
 
 [ESLZ-Architecture]: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture
 [ESLZ-Management]:   https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
@@ -333,6 +304,12 @@ If you don't wish to send usage data to Microsoft, details on how to turn it off
 [arm_ddos_protection_plan]:           https://docs.microsoft.com/azure/templates/microsoft.network/ddosprotectionplans
 [arm_dns_zone]:                       https://docs.microsoft.com/azure/templates/microsoft.network/dnszones
 [arm_virtual_network_peering]:        https://docs.microsoft.com/azure/templates/microsoft.network/virtualnetworks/virtualnetworkpeerings
+[arm_virtual_wan]:                    https://docs.microsoft.com/azure/templates/microsoft.network/virtualWans
+[arm_virtual_hub]:                    https://docs.microsoft.com/azure/templates/microsoft.network/virtualHubs
+[arm_express_route_gateway]:          https://docs.microsoft.com/azure/templates/microsoft.network/expressRouteGateways
+[arm_vpn_gateway]:                    https://docs.microsoft.com/azure/templates/microsoft.network/vpnGateways
+[arm_firewall_policy]:                https://docs.microsoft.com/azure/templates/microsoft.network/firewallPolicies
+[arm_virtual_hub_connection]:         https://docs.microsoft.com/azure/templates/microsoft.network/virtualHubs/hubVirtualNetworkConnections
 
 [azurerm_management_group]:                   https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group
 [azurerm_management_group_policy_assignment]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment
@@ -354,10 +331,18 @@ If you don't wish to send usage data to Microsoft, details on how to turn it off
 [azurerm_network_ddos_protection_plan]:       https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_ddos_protection_plan
 [azurerm_dns_zone]:                           https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone
 [azurerm_virtual_network_peering]:            https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering
+[azurerm_virtual_wan]:                        https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_wan
+[azurerm_virtual_hub]:                        https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub
+[azurerm_express_route_gateway]:              https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_gateway
+[azurerm_vpn_gateway]:                        https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/vpn_gateway
+[azurerm_firewall_policy]:                    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy
+[azurerm_virtual_hub_connection]:             https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_connection
 
 [TFAES-LICENSE]:      https://github.com/Azure/terraform-azurerm-enterprise-scale/blob/main/LICENSE
 [TFAES-Library]:      https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/tree/main/modules/terraform-azurerm-caf-enterprise-scale-archetypes/lib
 
+[repo_releases]:      https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/releases "Release notes"
+
 <!--
 The following link references should be copied from `_sidebar.md` in the `./docs/wiki/` folder.
 Replace `./` with `https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/` when copying to here.
@@ -378,6 +363,7 @@ Replace `./` with `https://github.com/Azure/terraform-azurerm-caf-enterprise-sca
 [wiki_upgrade_from_v0_1_2_to_v0_2_0]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Wiki - Upgrade from v0.1.2 to v0.2.0"
 [wiki_upgrade_from_v0_3_3_to_v0_4_0]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.3.3-to-v0.4.0 "Wiki - Upgrade from v0.3.3 to v0.4.0"
 [wiki_upgrade_from_v0_4_0_to_v1_0_0]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v0.4.0-to-v1.0.0 "Wiki - Upgrade from v0.4.0 to v1.0.0"
+[wiki_upgrade_from_v1_1_4_to_v2_0_0]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Upgrade-from-v1.1.4-to-v2.0.0 "Wiki - Upgrade from v1.1.4 to v2.0.0"
 [wiki_examples]:                              https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Examples "Wiki - Examples"
 [wiki_examples_level_100]:                    https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Examples#advanced-level-100 "Wiki - Examples"
 [wiki_examples_level_200]:                    https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/Examples#advanced-level-200 "Wiki - Examples"
diff --git a/docs/wiki/Home.md b/docs/wiki/Home.md
index 625886f6d..1625a68b2 100644
--- a/docs/wiki/Home.md
+++ b/docs/wiki/Home.md
@@ -1,6 +1,6 @@
-# Terraform Module for Cloud Adoption Framework Enterprise-scale
+# Azure landing zones Terraform module
 
-The [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] provides an opinionated approach for deploying and managing the core platform capabilities of [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture] using Terraform, with a focus on the central resource hierarchy:
+The [Azure landing zones Terraform module][terraform-registry-caf-enterprise-scale] provides an opinionated approach for deploying and managing the core platform capabilities of [Azure landing zones architecture][ESLZ-Architecture] using Terraform, with a focus on the central resource hierarchy:
 
 ![Enterprise-scale Landing Zone Architecture][TFAES-Overview]
 
@@ -43,14 +43,14 @@ Check out the [User Guide](./User-Guide), or go straight to our [Examples](./Exa
  [//]: # (INSERT IMAGE REFERENCES BELOW)
  [//]: # (*****************************)
 
-[TFAES-Overview]: ./media/terraform-caf-enterprise-scale-overview.png "Diagram showing the Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Overview]: ./media/terraform-caf-enterprise-scale-overview.png "Diagram showing the Azure landing zones architecture deployed by this module."
 
  [//]: # (************************)
  [//]: # (INSERT LINK LABELS BELOW)
  [//]: # (************************)
 
 [ESLZ-Architecture]:                              https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture "Enterprise-scale Reference Architecture"
-[terraform-registry-caf-enterprise-scale]:        https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale"
+[terraform-registry-caf-enterprise-scale]:        https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Azure landing zones Terraform module"
 [management-group-and-subscription-organization]: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization "Cloud Adoption Framework: Management group and subscription organization"
 [identity-and-access-management]:                 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management "Cloud Adoption Framework: Identity and access management"
 [management-and-monitoring]:                      https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring "Cloud Adoption Framework: Management and monitoring"
diff --git a/docs/wiki/Troubleshooting.md b/docs/wiki/Troubleshooting.md
index 0a531a35c..8b6116a0f 100644
--- a/docs/wiki/Troubleshooting.md
+++ b/docs/wiki/Troubleshooting.md
@@ -2,7 +2,7 @@ Having trouble using the module and unable to find a solution in the Wiki?
 
 If it isn't listed below, let us know about it in our [Issues][Issues] log. We'll do our best to help and you may find your issue documented here in the future!
 
-[Issues]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues "Terraform Module for Cloud Adoption Framework Enterprise-scale: Report an Issue"
+[Issues]: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues "Azure landing zones Terraform module: Report an Issue"
 
 #### Errors creating Role Definitions and Role Assignments
 
diff --git a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md
index 8dc1fc0ec..5df353dcc 100644
--- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md
+++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources-With-Custom-Settings.md
@@ -137,12 +137,12 @@ It also contains the module declaration for this module, containing a number of
 
 data "azurerm_client_config" "core" {}
 
-# Declare the Terraform Module for Cloud Adoption Framework
-# Enterprise-scale and provide a base configuration.
+# Declare the Azure landing zones Terraform module
+# and provide a base configuration.
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md b/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md
index c54e3fef7..11ad27ac5 100644
--- a/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md
+++ b/docs/wiki/[Examples]-Deploy-Connectivity-Resources.md
@@ -3,7 +3,7 @@
 This page describes how to deploy Enterprise-scale with the [Connectivity resources][wiki_connectivity_resources] created in the current Subscription context, using the default configuration settings.
 
 As connectivity resources can start to significantly increase Azure consumption costs, the module defaults are aimed to help build the basic connectivity configuration whilst minimising cost.
-Please refer to the Cloud Adoption Framework [Network topology and connectivity][ESLZ-Connectivity] recommendations to better understand which of these settings you should enable in a Production environment.
+Please refer to the [Network topology and connectivity][ESLZ-Connectivity] recommendations to better understand which of these settings you should enable in a Production environment.
 
 In this example, we take the [default configuration][wiki_deploy_default_configuration] and make the following changes:
 
@@ -65,7 +65,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md b/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md
index af96b0f8d..d9c134990 100644
--- a/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md
+++ b/docs/wiki/[Examples]-Deploy-Custom-Landing-Zone-Archetypes.md
@@ -89,12 +89,12 @@ To allow the declaration of custom templates, you must create a custom library f
 
 data "azurerm_client_config" "core" {}
 
-# Declare the Terraform Module for Cloud Adoption Framework
-# Enterprise-scale and provide a base configuration.
+# Declare the Azure landing zones Terraform module
+# and provide a base configuration.
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
@@ -144,7 +144,7 @@ module "enterprise_scale" {
 
 > IMPORTANT: Please ensure you create this file in the `/lib` directory within your root module.
 
-The `lib/archetype_definition_customer_online.json` file contains a custom "archetype definition". This is a custom JSON format used specifically by the Terraform Module for Cloud Adoption Framework Enterprise-scale.
+The `lib/archetype_definition_customer_online.json` file contains a custom "archetype definition". This is a custom JSON format used specifically by the Azure landing zones Terraform module.
 
 In this example, we are using this archetype definition to create an archetype called `customer_online`. This archetype definition includes the creation of Policy Assignments for `Deny-Resource-Locations` and `Deny-RSG-Locations`, with default values pre-defined in the archetype definition template.
 
diff --git a/docs/wiki/[Examples]-Deploy-Default-Configuration.md b/docs/wiki/[Examples]-Deploy-Default-Configuration.md
index 14d0d7cc4..828ffafb1 100644
--- a/docs/wiki/[Examples]-Deploy-Default-Configuration.md
+++ b/docs/wiki/[Examples]-Deploy-Default-Configuration.md
@@ -44,7 +44,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md b/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md
index 165182560..1f9db762f 100644
--- a/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md
+++ b/docs/wiki/[Examples]-Deploy-Demo-Landing-Zone-Archetypes.md
@@ -46,12 +46,12 @@ provider "azurerm" {
 
 data "azurerm_client_config" "core" {}
 
-# Declare the Terraform Module for Cloud Adoption Framework
-# Enterprise-scale and provide a base configuration.
+# Declare the Azure landing zones Terraform module
+# and provide a base configuration.
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md
index 62ce7c220..69ce1208b 100644
--- a/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md
+++ b/docs/wiki/[Examples]-Deploy-Identity-Resources-With-Custom-Settings.md
@@ -95,12 +95,12 @@ It also contains the module declaration for this module, containing a number of
 
 data "azurerm_client_config" "core" {}
 
-# Declare the Terraform Module for Cloud Adoption Framework
-# Enterprise-scale and provide a base configuration.
+# Declare the Azure landing zones Terraform module
+# and provide a base configuration.
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[Examples]-Deploy-Identity-Resources.md b/docs/wiki/[Examples]-Deploy-Identity-Resources.md
index 6c9840797..c7d972fcd 100644
--- a/docs/wiki/[Examples]-Deploy-Identity-Resources.md
+++ b/docs/wiki/[Examples]-Deploy-Identity-Resources.md
@@ -58,7 +58,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md
index b353c6d81..8a17e9945 100644
--- a/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md
+++ b/docs/wiki/[Examples]-Deploy-Management-Resources-With-Custom-Settings.md
@@ -125,12 +125,12 @@ It also contains the module declaration for this module, containing a number of
 
 data "azurerm_client_config" "core" {}
 
-# Declare the Terraform Module for Cloud Adoption Framework
-# Enterprise-scale and provide a base configuration.
+# Declare the Azure landing zones Terraform module
+# and provide a base configuration.
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[Examples]-Deploy-Management-Resources.md b/docs/wiki/[Examples]-Deploy-Management-Resources.md
index 6c7abd882..dd86bbfe9 100644
--- a/docs/wiki/[Examples]-Deploy-Management-Resources.md
+++ b/docs/wiki/[Examples]-Deploy-Management-Resources.md
@@ -59,7 +59,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md b/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md
index 8415b5f82..a07efe312 100644
--- a/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md
+++ b/docs/wiki/[Examples]-Deploy-Using-Module-Nesting.md
@@ -12,7 +12,7 @@ The extra code needed to extend your configuration, is the following:
 
 module "enterprise_scale_nested_landing_zone" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
@@ -129,12 +129,12 @@ To allow the declaration of custom templates, you must create a custom library f
 
 data "azurerm_client_config" "core" {}
 
-# Declare the Terraform Module for Cloud Adoption Framework
-# Enterprise-scale and provide a base configuration.
+# Declare the Azure landing zones Terraform module
+# and provide a base configuration.
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
@@ -183,7 +183,7 @@ module "enterprise_scale" {
 
 module "enterprise_scale_nested_landing_zone" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
@@ -221,7 +221,7 @@ module "enterprise_scale_nested_landing_zone" {
 
 > IMPORTANT: Please ensure you create this file in the `/lib` directory within your root module.
 
-The `lib/archetype_definition_customer_online.json` file contains a custom "archetype definition". This is a custom JSON format used specifically by the Terraform Module for Cloud Adoption Framework Enterprise-scale.
+The `lib/archetype_definition_customer_online.json` file contains a custom "archetype definition". This is a custom JSON format used specifically by the Azure landing zones Terraform module.
 
 In this example, we are using this archetype definition to create an archetype called `customer_online`. This archetype definition includes the creation of Policy Assignments for `Deny-Resource-Locations` and `Deny-RSG-Locations`, with default values pre-defined in the archetype definition template.
 
diff --git a/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md b/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md
index c21cf2817..6b00b8d6c 100644
--- a/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md
+++ b/docs/wiki/[Examples]-Expand-built-in-archetype-definitions.md
@@ -96,7 +96,7 @@ data "azurerm_client_config" "core" {}
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[Examples]-Override-Module-Role-Assignments.md b/docs/wiki/[Examples]-Override-Module-Role-Assignments.md
index 784877b29..7594f35e0 100644
--- a/docs/wiki/[Examples]-Override-Module-Role-Assignments.md
+++ b/docs/wiki/[Examples]-Override-Module-Role-Assignments.md
@@ -97,12 +97,12 @@ To allow the declaration of custom templates, you must create a custom library f
 
 data "azurerm_client_config" "core" {}
 
-# Declare the Terraform Module for Cloud Adoption Framework
-# Enterprise-scale and provide a base configuration.
+# Declare the Azure landing zones Terraform module
+# and provide a base configuration.
 
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[User-Guide]-Connectivity-Resources.md b/docs/wiki/[User-Guide]-Connectivity-Resources.md
index 1e47ac399..bb3fd58db 100644
--- a/docs/wiki/[User-Guide]-Connectivity-Resources.md
+++ b/docs/wiki/[User-Guide]-Connectivity-Resources.md
@@ -1,17 +1,22 @@
 ## Overview
 
-From release `v0.4.0` onwards, the module includes new functionality to enable deployment of [Network topology and connectivity][ESLZ-Connectivity] resources into the current Subscription context.
-This is currently limited to the Hub & Spoke network topology, but the addition of Virtual WAN capabilities is on our roadmap (date TBC).
+The module enables deployment of [Network topology and connectivity][ESLZ-Connectivity] resources into the Subscription context set by the `azurerm.connectivity` provider alias.
 
 ![Enterprise-scale Connectivity Landing Zone Architecture][TFAES-Connectivity]
 
+The module supports creating multiple hubs (one per specified location) in both a `Hub and Spoke` or `Virtual WAN` configuration.
+There are also additional supporting resources deployed for DDoS Protection and DNS zones.
+You can also create a combination of both topologies.
+
+Each hub can be individually configured as needed.
+
 > **NOTE:** The module currently only configures the networking hub, and dependent resources for the `Connectivity` Subscription.
 > To ensure we achieve the right balance of managing resources via Terraform vs. Azure Policy, we are still working on how best to handle the creation of spoke Virtual Networks and Virtual Network Peering.
 > Improving this story is our next priority on the product roadmap.
 
 ## Resource types
 
-The following resource types are deployed and managed by this module when the Connectivity resources capabilities are enabled:
+The following resource types are deployed and managed by this module when the Connectivity capabilities are enabled:
 
 |     | Azure Resource | Terraform Resource |
 | --- | -------------- | ------------------ |
@@ -20,10 +25,18 @@ The following resource types are deployed and managed by this module when the Co
 | Subnets | [`Microsoft.Network/virtualNetworks/subnets`][arm_subnet] | [`azurerm_subnet`][azurerm_subnet] |
 | Virtual Network Gateways | [`Microsoft.Network/virtualNetworkGateways`][arm_virtual_network_gateway] | [`azurerm_virtual_network_gateway`][azurerm_virtual_network_gateway] |
 | Azure Firewalls | [`Microsoft.Network/azureFirewalls`][arm_firewall] | [`azurerm_firewall`][azurerm_firewall] |
+| Azure Firewall Policies | [`Microsoft.Network/firewallPolicies`][arm_firewall_policy] | [`azurerm_firewall_policy`][azurerm_firewall_policy] |
 | Public IP Addresses | [`Microsoft.Network/publicIPAddresses`][arm_public_ip] | [`azurerm_public_ip`][azurerm_public_ip] |
+| Virtual Network Peerings | [`Microsoft.Network/virtualNetworks/virtualNetworkPeerings`][arm_virtual_network_peering] | [`azurerm_virtual_network_peering`][azurerm_virtual_network_peering] |
+| Virtual WANs | [`Microsoft.Network/virtualWans`][arm_virtual_wan] | [`azurerm_virtual_wan`][azurerm_virtual_wan] |
+| Virtual Hubs | [`Microsoft.Network/virtualHubs`][arm_virtual_hub] | [`azurerm_virtual_hub`][azurerm_virtual_hub] |
+| Express Route Gateways | [`Microsoft.Network/expressRouteGateways`][arm_express_route_gateway] | [`azurerm_express_route_gateway`][azurerm_express_route_gateway] |
+| VPN Gateways | [`Microsoft.Network/vpnGateways`][arm_vpn_gateway] | [`azurerm_vpn_gateway`][azurerm_vpn_gateway] |
+| Azure Firewalls | [`Microsoft.Network/azureFirewalls`][arm_firewall] | [`azurerm_firewall`][azurerm_firewall] |
+| Azure Firewall Policies | [`Microsoft.Network/firewallPolicies`][arm_firewall_policy] | [`azurerm_firewall_policy`][azurerm_firewall_policy] |
+| Virtual Hub Connections | [`Microsoft.Network/virtualHubs/hubVirtualNetworkConnections`][arm_virtual_hub_connection] | [`azurerm_virtual_hub_connection`][azurerm_virtual_hub_connection] |
 | DDoS Protection Plans | [`Microsoft.Network/ddosProtectionPlans`][arm_ddos_protection_plan] | [`azurerm_network_ddos_protection_plan`][azurerm_network_ddos_protection_plan] |
-| DNS Zones (pending) | [`Microsoft.Network/dnsZones`][arm_dns_zone] | [`azurerm_dns_zone`][azurerm_dns_zone] |
-| Virtual Network Peerings (pending) | [`Microsoft.Network/virtualNetworks/virtualNetworkPeerings`][arm_virtual_network_peering] | [`azurerm_virtual_network_peering`][azurerm_virtual_network_peering] |
+| DNS Zones | [`Microsoft.Network/dnsZones`][arm_dns_zone] | [`azurerm_dns_zone`][azurerm_dns_zone] |
 
 ## Next steps
 
@@ -33,7 +46,7 @@ Please refer to [Deploy Connectivity Examples][wiki_deploy_connectivity_resource
  [//]: # (INSERT IMAGE REFERENCES BELOW)
  [//]: # (*****************************)
 
-[TFAES-Connectivity]: ./media/terraform-caf-enterprise-scale-connectivity.png "Diagram showing the Connectivity resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Connectivity]: ./media/terraform-caf-enterprise-scale-connectivity.png "Diagram showing the Connectivity resources for Azure landing zones architecture deployed by this module."
 
  [//]: # (************************)
  [//]: # (INSERT LINK LABELS BELOW)
@@ -50,6 +63,12 @@ Please refer to [Deploy Connectivity Examples][wiki_deploy_connectivity_resource
 [arm_ddos_protection_plan]:           https://docs.microsoft.com/azure/templates/microsoft.network/ddosprotectionplans
 [arm_dns_zone]:                       https://docs.microsoft.com/azure/templates/microsoft.network/dnszones
 [arm_virtual_network_peering]:        https://docs.microsoft.com/azure/templates/microsoft.network/virtualnetworks/virtualnetworkpeerings
+[arm_virtual_wan]:                    https://docs.microsoft.com/azure/templates/microsoft.network/virtualWans
+[arm_virtual_hub]:                    https://docs.microsoft.com/azure/templates/microsoft.network/virtualHubs
+[arm_express_route_gateway]:          https://docs.microsoft.com/azure/templates/microsoft.network/expressRouteGateways
+[arm_vpn_gateway]:                    https://docs.microsoft.com/azure/templates/microsoft.network/vpnGateways
+[arm_firewall_policy]:                https://docs.microsoft.com/azure/templates/microsoft.network/firewallPolicies
+[arm_virtual_hub_connection]:         https://docs.microsoft.com/azure/templates/microsoft.network/virtualHubs/hubVirtualNetworkConnections
 
 [azurerm_resource_group]:               https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group
 [azurerm_virtual_network]:              https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network
@@ -60,5 +79,11 @@ Please refer to [Deploy Connectivity Examples][wiki_deploy_connectivity_resource
 [azurerm_network_ddos_protection_plan]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_ddos_protection_plan
 [azurerm_dns_zone]:                     https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone
 [azurerm_virtual_network_peering]:      https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering
+[azurerm_virtual_wan]:                        https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_wan
+[azurerm_virtual_hub]:                        https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub
+[azurerm_express_route_gateway]:              https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/express_route_gateway
+[azurerm_vpn_gateway]:                        https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/vpn_gateway
+[azurerm_firewall_policy]:                    https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_policy
+[azurerm_virtual_hub_connection]:             https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_connection
 
 [wiki_deploy_connectivity_resources]:         https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Connectivity-Resources "Wiki - Deploy Connectivity Resources"
diff --git a/docs/wiki/[User-Guide]-Core-Resources.md b/docs/wiki/[User-Guide]-Core-Resources.md
index 5c4a170fe..b7c9a6e98 100644
--- a/docs/wiki/[User-Guide]-Core-Resources.md
+++ b/docs/wiki/[User-Guide]-Core-Resources.md
@@ -1,6 +1,6 @@
 ## Overview
 
-The core capability of this module deploys the foundations of the [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture], with a focus on the central resource hierarchy and governance:
+The core capability of this module deploys the foundations of the [Azure landing zones architecture][ESLZ-Architecture], with a focus on the central resource hierarchy and governance:
 
 ![Enterprise-scale Core Landing Zones Architecture][TFAES-Overview]
 
@@ -30,7 +30,7 @@ Please refer to [Deploy Default Configuration][wiki_deploy_default_configuration
  [//]: # (INSERT IMAGE REFERENCES BELOW)
  [//]: # (*****************************)
 
-[TFAES-Overview]: ./media/terraform-caf-enterprise-scale-overview.png "Diagram showing the core Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Overview]: ./media/terraform-caf-enterprise-scale-overview.png "Diagram showing the core Azure landing zones architecture deployed by this module."
 
  [//]: # (************************)
  [//]: # (INSERT LINK LABELS BELOW)
diff --git a/docs/wiki/[User-Guide]-Getting-Started.md b/docs/wiki/[User-Guide]-Getting-Started.md
index db85063ef..8e8e445d6 100644
--- a/docs/wiki/[User-Guide]-Getting-Started.md
+++ b/docs/wiki/[User-Guide]-Getting-Started.md
@@ -71,7 +71,7 @@ Copy and paste the following 'module' block into your Terraform configuration, i
 ```hcl
 module "caf-enterprise-scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
diff --git a/docs/wiki/[User-Guide]-Identity-Resources.md b/docs/wiki/[User-Guide]-Identity-Resources.md
index 8b0c96c7f..71a52aa8d 100644
--- a/docs/wiki/[User-Guide]-Identity-Resources.md
+++ b/docs/wiki/[User-Guide]-Identity-Resources.md
@@ -1,6 +1,6 @@
 ## Overview
 
-From release `v0.4.0` onwards, the module includes new functionality to enable deployment of [Identity and access management][ESLZ-Identity] resources into the current Subscription context.
+The module enables deployment and configuration of Azure Policy to control governance over the [Identity and access management][ESLZ-Identity] Subscription.
 
 ![Enterprise-scale Identity Landing Zone Architecture][TFAES-Identity]
 
@@ -12,7 +12,7 @@ Please refer to the [Deploy Identity Resources][wiki_deploy_identity_resources]
  [//]: # (INSERT IMAGE REFERENCES BELOW)
  [//]: # (*****************************)
 
-[TFAES-Identity]: ./media/terraform-caf-enterprise-scale-identity.png "Diagram showing the Identity resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Identity]: ./media/terraform-caf-enterprise-scale-identity.png "Diagram showing the Identity resources for Azure landing zones architecture deployed by this module."
 
  [//]: # (************************)
  [//]: # (INSERT LINK LABELS BELOW)
diff --git a/docs/wiki/[User-Guide]-Management-Resources.md b/docs/wiki/[User-Guide]-Management-Resources.md
index 412b2f002..6e22a47d6 100644
--- a/docs/wiki/[User-Guide]-Management-Resources.md
+++ b/docs/wiki/[User-Guide]-Management-Resources.md
@@ -1,6 +1,6 @@
 ## Overview
 
-From release `v0.2.0` onwards, the module includes new functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the current Subscription context.
+The module includes functionality to enable deployment of [Management and monitoring][ESLZ-Management] resources into the Subscription context set by the `azurerm.management` provider alias.
 This brings the benefit of being able to manage the full lifecycle of these resources using Terraform, with native integration into the corresponding Policy Assignments to ensure full policy compliance.
 
 ![Enterprise-scale Management Landing Zone Architecture][TFAES-Management]
@@ -25,7 +25,7 @@ Please refer to [Deploy Management Resources][wiki_deploy_management_resources]
  [//]: # (INSERT IMAGE REFERENCES BELOW)
  [//]: # (*****************************)
 
-[TFAES-Management]:./media/terraform-caf-enterprise-scale-management.png "Diagram showing the Management resources for Cloud Adoption Framework Enterprise-scale Landing Zone architecture deployed by this module."
+[TFAES-Management]:./media/terraform-caf-enterprise-scale-management.png "Diagram showing the Management resources for Azure landing zones architecture deployed by this module."
 
  [//]: # (************************)
  [//]: # (INSERT LINK LABELS BELOW)
@@ -45,5 +45,4 @@ Please refer to [Deploy Management Resources][wiki_deploy_management_resources]
 [azurerm_automation_account]:           https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/automation_account
 [azurerm_log_analytics_linked_service]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_linked_service
 
-
 [wiki_deploy_management_resources]:           https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Management-Resources "Wiki - Deploy Management Resources"
diff --git a/docs/wiki/[User-Guide]-Module-Variables.md b/docs/wiki/[User-Guide]-Module-Variables.md
index 0388d44f2..7f67d4fab 100644
--- a/docs/wiki/[User-Guide]-Module-Variables.md
+++ b/docs/wiki/[User-Guide]-Module-Variables.md
@@ -460,7 +460,7 @@ Now you understand how to customize your deployment using the input variables, c
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
 
-[estf-inputs]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest?tab=inputs "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale - Inputs"
+[estf-inputs]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest?tab=inputs "Terraform Registry: Azure landing zones Terraform module - Inputs"
 
 [local_values]:    https://www.terraform.io/docs/language/values/locals.html "Local Values"
 [input_variables]: https://www.terraform.io/docs/language/values/variables.html "Input Variables"
diff --git a/docs/wiki/[User-Guide]-Provider-Configuration.md b/docs/wiki/[User-Guide]-Provider-Configuration.md
index 8d12faae6..4b8b775e0 100644
--- a/docs/wiki/[User-Guide]-Provider-Configuration.md
+++ b/docs/wiki/[User-Guide]-Provider-Configuration.md
@@ -1,6 +1,6 @@
 ## Overview
 
-As of release `v0.4.0`, the [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale] now uses multiple provider aliases to allow resources to be deployed directly to the intended Subscription, without the need to specify multiple instances of the module.
+The [Azure landing zones Terraform module][terraform-registry-caf-enterprise-scale] uses multiple provider aliases to allow resources to be deployed directly to the intended Subscription, without the need to specify multiple instances of the module.
 
 This change is intended to simplify deployments using a single pipeline to create all resources, as it is no longer necessary to share the configuration inputs across multiple instances of the module to achieve consistency between the resources created, and associated policies.
 
@@ -69,7 +69,7 @@ provider "azurerm" {
 
 module "caf-enterprise-scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
@@ -96,7 +96,7 @@ You must be authenticated to the Subscription where you want each set of resourc
 - When setting `deploy_management_resources = true`, you must also ensure you map the `azurerm.management` provider to authenticate against the same Subscription as specified in `subscription_id_management`.
 
 Although this may bring additional complexity to the module, this also enables the module to deploy resources across multiple Subscriptions.
-This is an important part of the [Cloud Adoption Framework enterprise-scale landing zone architecture][ESLZ-Architecture].
+This is an important part of the [Azure landing zones architecture][ESLZ-Architecture].
 
 Details of how to [configure authentication settings][authenticating_to_azure] can be found in the AzureRM Provider documentation.
 
@@ -149,7 +149,7 @@ provider "azurerm" {
 
 module "caf-enterprise-scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
@@ -207,7 +207,7 @@ data "azurerm_client_config" "connectivity" {
 # Map each module provider to their corresponding `azurerm` provider using the providers input object
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.1.4"
+  version = "2.0.0"
 
   providers = {
     azurerm              = azurerm
@@ -243,9 +243,9 @@ Learn how to use the [Module Variables](%5BUser-Guide%5D-Module-Variables) to cu
 [//]: # "INSERT LINK LABELS BELOW"
 [//]: # "************************"
 
-[ESLZ-Architecture]: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture "Cloud Adoption Framework enterprise-scale landing zone architecture"
+[ESLZ-Architecture]: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture "Azure landing zones architecture"
 
-[terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Terraform Module for Cloud Adoption Framework Enterprise-scale"
+[terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Azure landing zones Terraform module"
 [authenticating_to_azure]:                 https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure "Terraform Registry: Azure Provider (Authenticating to Azure)"
 
 [wiki_core_resources]:                        ./%5BUser-Guide%5D-Core-Resources "Wiki - Core Resources"
diff --git a/docs/wiki/[User-Guide]-Upgrade-from-v1.1.4-to-v2.0.0.md b/docs/wiki/[User-Guide]-Upgrade-from-v1.1.4-to-v2.0.0.md
new file mode 100644
index 000000000..b3deff9f2
--- /dev/null
+++ b/docs/wiki/[User-Guide]-Upgrade-from-v1.1.4-to-v2.0.0.md
@@ -0,0 +1,343 @@
+## Overview
+
+The `v2.0.0` release marks another significant milestone in development of the [Azure landing zones Terraform module][terraform-registry-caf-enterprise-scale] (_formerly [Terraform Module for Cloud Adoption Framework Enterprise-scale][terraform-registry-caf-enterprise-scale]_).
+The re-branding of this module reflects adoption of `Enterprise-scale` as the recommended architecture for `Azure landing zones`.
+
+This release provides the ability to deploy and configure `Virtual WAN` resources as part of the `connectivity` capability of the module.
+We have also included a number of fixes for other issues, and extended the existing `connectivity` capabilities for customers creating `Hub and Spoke` networks.
+
+### New features
+
+- Added support to create hub networks using Azure `Virtual WAN` in the connectivity Subscription
+- Updated the policies included within the module based on those in the upstream Enterprise-scale repository
+- Improved Wiki documentation, providing more examples and clearer guidance
+- Added module telemetry to help us better understand where to focus development efforts and improve customer experience
+- Update branding from `Enterprise-scale` to `Azure landing zones` (further work required to complete this transition)
+- Added `Azure Firewall Policy` resources to enable the `DNS Proxy` settings for `Azure Firewall` and simplify the configuration experience
+- Extended configuration options for the `Virtual Network Gateway` resources used for `hub and spoke` networks
+- The `threat_intel_mode` value for `azurerm_firewall` resources is now explicitly set with a default value of `Alert` to support the latest provider versions. This matches the previous "default" value of the old provider.
+- Added new variable `asc_export_resource_group_name` to fix #342
+- Added logic to automatically configure the `generation` value for VPN gateways without using the `advanced` object to fix #333
+- Added input variables and logic to simplify configuring active-active mode for VPN gateways without using the `advanced` object to fix #232
+- Added logic to suppress creation of Public IP resource(s) when a custom `ip_configuration` input is specified via the `advanced` block for the following resource types:
+  - `azurerm_virtual_network_gateway` (ExpressRoute and VPN)
+  - `azurerm_firewall`
+- Added input variables for BGP configuration settings without using the `advanced` object to fix #334
+- Added missing `vpn_auth_types` attribute for the `vpn_client_configuration` block on Virtual Network Gateway resources
+- Updated Wiki docs to reflect the included changes where covered in documentation
+- Updated test framework to provide coverage of the included fixes
+- Updated test strategy to ensure working versions are included from `v0.15.1` (new minimum required to fix `Error: Output refers to sensitive values`) to latest `v1.1.x`
+
+### Fixed issues
+
+- Fix [#226](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/226) (Add capability for "Virtual WAN Networking" resources - Connectivity Subscription)
+- Fix [#232](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/232) (can't create active-active vpngw)
+- Fix [#254](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/254) (Create Wiki docs page for custom policy definition, set definition (initiative) and assignment)
+- Fix [#264](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/264) (Update Policies For `v1.2.0` Release From Upstream)
+- Fix [#266](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/266) (Adding a new policy assignment forces the existing policy role assignments to be recreated)
+- Fix [#271](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/271) (Error: deleting Azure Firewall)
+- Fix [#272](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/272) (Argument `management_group_name` deprecated in favour of `management_group_id`)
+- Fix [#273](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/273) (`azurerm_role_assignment.policy_assignment` resources outputs missing)
+- Fix [#274](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/274) (Add Firewall Policy resources for the Azure Firewall resources deployed by the module)
+- Fix [#293](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/293) (Move FabricBot to Config-as-Code)
+- Fix [#295](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/295) (Missing data policies)
+- Fix [#305](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/305) (Add vwan settings to outputs)
+- Fix [#309](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/309) (Bug Report - AzureRM provider 3.0.0 availability zones error)
+- Fix [#319](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/319) (`azurerm_public_ip` prevents support of azurerm provider >= 3.0.0)
+- Fix [#333](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/333) (VPN Gateway Generations)
+- Fix [#334](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/334) (BGP configuration on VPN gateways)
+- Fix [#336](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/336) (Feature Request - Add AZ Support for Azure Firewall in Secure vHub Model)
+- Fix [#340](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/340) (Call to function "coalesce" failed: all arguments must have the same type.)
+- Fix [#342](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/342) (Ability to rename ASC export resource group name)
+- Work towards [#227](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/227) (Replace `try()` with `lookup()` where possible)
+
+### Breaking changes
+
+- :warning: Updated the minimum supported Terraform version to `0.15.1`
+- :warning: Updated the minimum supported `azurerm` provider version to `3.0.2`
+- :warning: Updated the required attributes for the `configure_management_resources` input variable to reflect recent policy updates for Microsoft Defender for Cloud
+- :warning: Extended the required attributes for the `configure_connectivity_resources` input variable to enable new functionality
+
+  > This will result in an error at `plan` until users update the input for `configure_connectivity_resources`.
+  > Longer term objective is to reduce the number of mandatory attributes within the schema using the `optional()` type wrapper once released as GA.
+
+- :warning: Updated preference to `Generation2` for supported VPN gateway SKUs, so some customers may have their VPN gateway redeployed to the new version. Instructions for how to override this added below.
+
+> **IMPORTANT:** If you are using the `advanced` input for `configure_connectivity_resources` please take extra care to note the changes listed in [PR: Fix multiple issues #345](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/pull/345).
+> A summary of these can be found below in the [Advanced configuration](#rocket-advanced-configuration) section.
+
+## Required actions
+
+Anyone using this module should be aware of the following when planning to upgrade from release `v1.1.4` to `v2.0.0`:
+
+1. Please review the updates listed above, especially in regard to the [**Breaking changes**](#breaking-changes).
+
+1. A select number of policies provided as part of this module have changed.
+Please carefully review [Resource changes](#resource-changes) provided below and the output of `terraform plan` to ensure there are no issues with any custom configuration within your root module.
+
+1. If you are using a custom library, the following library template types will need checking for references to updated policies as listed in the [resource changes](#resource-changes) section below:
+    1. Archetype Definitions
+    1. Policy Definitions
+    1. Policy Set Definitions
+    1. Policy Assignments
+
+1. Before making changes to your configuration, we recommend to update the module version and run `terraform init -upgrade` followed by `terraform plan` to see what changes are needed in the code.
+Fix any errors before reviewing the plan output to see whether any unexpected resource changes are going to happen.
+Review the additional guidance below to better understand what is likely to need changing, and please don't hesitate to log a [GitHub Issue](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues) if you're unclear on any of the required steps.
+
+> **IMPORTANT:** As with any Terraform upgrade, please carefully review the output of `terraform plan` to ensure there are no issues with any custom configuration within your root module or unexpected changes to your environment before applying.
+
+## Resource changes
+
+The following changes have been made within the module which should be reviewed carefully before running `terraform apply`:
+
+### Resource type: `azurerm_policy_definition`
+
+Terraform plan will identify a number of "_Objects have changed outside of Terraform_" due to changes in the latest provider versions.
+This will result in multiple messages similar to the following for the `azurerm_policy_definition` resources:
+
+```shell
+  # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/myorg/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly"] has changed
+  ~ resource "azurerm_policy_definition" "enterprise_scale" {
+        id                  = "/providers/Microsoft.Management/managementGroups/myorg/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly"
+      ~ management_group_id = "myorg" -> "/providers/Microsoft.Management/managementGroups/myorg"
+        name                = "Append-AppService-httpsonly"
+        # (7 unchanged attributes hidden)
+    }
+```
+
+No action should be required regarding the above.
+
+- The following Policy Definition changes have been included in the `es_root` archetype definition:
+  - `Deny-Subnet-Without-Nsg` updated
+  - `Deny-Subnet-Without-Udr` updated
+  - `Deny-VNET-Peering-To-Non-Approved-VNETs` added
+
+These will result in a change to the resources deployed by the module.
+
+### Resource type: `azurerm_policy_set_definition`
+
+Terraform plan will identify a number of "_Objects have changed outside of Terraform_" due to changes in the latest provider versions.
+This will result in multiple messages similar to the following for the `azurerm_policy_set_definition` resources:
+
+```shell
+  # module.enterprise_scale.azurerm_policy_set_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/myorg/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints"] has changed
+  ~ resource "azurerm_policy_set_definition" "enterprise_scale" {
+        id                  = "/providers/Microsoft.Management/managementGroups/myorg/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints"
+      ~ management_group_id = "myorg" -> "/providers/Microsoft.Management/managementGroups/myorg"
+        name                = "Deny-PublicPaaSEndpoints"
+        # (5 unchanged attributes hidden)
+
+        # (10 unchanged blocks hidden)
+    }
+```
+
+No action should be required regarding the above.
+
+- The following Policy Set Definition changes have been included in the `es_root` archetype definition:
+  - `Deploy-ASCDF-Config` replaced by `Deploy-MDFC-Config`
+
+These will result in a change to the resources deployed by the module.
+
+### Resource type: `azurerm_policy_assignment`
+
+- The following Policy Assignment changes have been included in the `es_corp` archetype definition:
+  - `Deny-DataB-Pip` added
+  - `Deny-DataB-Sku` added
+  - `Deny-DataB-Vnet` added
+
+- The following Policy Assignment changes have been included in the `v` archetype definition:
+  - `Deploy-ASCDF-Config` replaced by `Deploy-MDFC-Config`
+
+These will result in a change to the resources deployed by the module.
+
+### Resource type: `azurerm_role_definition`
+
+- The following Role Definition changes have been included in the `es_root` archetype definition:
+  - `Application-Owners` added
+  - `Network-Management` added
+  - `Security-Operations` added
+  - `Subscription-Owner` added
+
+### Resource type: `azurerm_role_assignment`
+
+To address issue #266 (Adding a new policy assignment forces the existing policy role assignments to be recreated), the associated Role Assignments have been moved into a child module.
+
+This will result in all `azurerm_role_assignment` to be recreated for Policy Assignments with a Managed Identity.
+
+This isn't expected to have an impact on customers, but should be noted during the upgrade process.
+
+### Management resources
+
+To reflect the latest changes to policy for Microsoft Defender for Cloud (formerly Azure Security Center), we have had to update the `configure_management_resources` input object.
+
+If you have set custom values for `configure_management_resources`, please update your code to reflect these changes.
+
+The `settings.security_center.config.enable_defender_for_acr` and `settings.security_center.config.enable_defender_for_kubernetes` attributes have been removed, and are instead controlled by a single input for `settings.security_center.config.enable_defender_for_containers`.
+
+All management resources which support tags will have the default tags updated unless these have been overridden within a custom configuration.
+This will result in multiple resources detecting an `~ update in-place` action similar to the following:
+
+```shell
+  # module.enterprise_scale.azurerm_log_analytics_workspace.management["/subscriptions/23b6acec-2ae4-4b66-9f1f-120647cffe55/resourceGroups/myorg-mgmt/providers/Microsoft.OperationalInsights/workspaces/myorg-la"] will be updated in-place
+  ~ resource "azurerm_log_analytics_workspace" "management" {
+        id                         = "/subscriptions/23b6acec-2ae4-4b66-9f1f-120647cffe55/resourceGroups/myorg-mgmt/providers/Microsoft.OperationalInsights/workspaces/myorg-la"
+        name                       = "myorg-la"
+      ~ tags                       = {
+          ~ "deployedBy" = "terraform/azure/caf-enterprise-scale/v1.1.4" -> "terraform/azure/caf-enterprise-scale/v2.0.0"
+        }
+        # (10 unchanged attributes hidden)
+    }
+```
+
+No action should be required regarding the above.
+
+### Connectivity resources
+
+The big change is we've now enabled deployment of `Virtual WAN` hub networks.
+This will have no impact on existing deployments, but to use this feature you will need to configure the existing `configure_connectivity_resources. settings.vwan_hub_networks` input which is now activated.
+
+> More details on how to deploy and configure `Virtual WAN` hub networks will be added to the Wiki soon!
+> Note that we still only support creation of the hub network and not spokes due to provider limitations, however bi-directional peering can be created for `Virtual WAN` networks.
+
+The `configure_connectivity_resources` input variable has been updated to improve ease of use when configuring VPN gateway and Azure Firewall settings in a `Hub and Spoke` network.
+
+If you have set a custom value for `configure_connectivity_resources`, please review the additional details below and update your code to reflect the updated input variable schema.
+
+To provide greater flexibility when configuring VPN gateways, a new `advanced_vpn_settings` object has been added under `settings.hub_networks[].config.virtual_network_gateway.config`.
+This addition allows more VPN gateway settings to be configured through the module.
+
+The following `advanced_vpn_settings` value will result in no configuration changes for customers who are already using module defaults:
+
+```terraform
+advanced_vpn_settings = {
+  enable_bgp                       = null
+  active_active                    = null
+  private_ip_address_allocation    = ""
+  default_local_network_gateway_id = ""
+  vpn_client_configuration         = []
+  bgp_settings                     = []
+  custom_route                     = []
+}
+```
+
+To provide greater flexibility when configuring the Azure Firewalls, the module now deploys a Firewall Policy for each Azure Firewall created by the module.
+This addition activates the existing `enable_dns_proxy` setting, but also allows a number of other settings to be configured through the module.
+
+The following attributes have been added under `settings.hub_networks[].config.azure_firewall.config`
+
+- `dns_servers`
+- `sku_tier`
+- `base_policy_id`
+- `private_ip_ranges`
+- `threat_intelligence_mode`
+- `threat_intelligence_allowlist`
+
+The following values will result in no configuration changes for customers who are already using module defaults:
+
+```terraform
+dns_servers                   = []
+sku_tier                      = ""
+base_policy_id                = ""
+private_ip_ranges             = []
+threat_intelligence_mode      = ""
+threat_intelligence_allowlist = []
+```
+
+> **IMPORTANT:** If you have updated any connectivity resource settings using the `advanced` configuration object, you will need to update your code to move your settings into this input and ensure you are using the updated naming schema.
+
+To provide better support across the range of available SKUs (by generation) for VPN gateways in a `Hub and Spoke` network, the module now automatically sets the `generation` attribute based on specified SKU.
+To keep in line with recommendations from the product teams, the module will default to `Generation2` where supported by the SKU.
+Customers who have already deployed a VPN gateway using a `Generation1` gateway will either need to redeploy the VPN gateway resource, or set the `generation` manually using the following advanced configuration:
+
+```hcl
+configure_connectivity_resources = {
+  # Additional attributes redacted
+  advanced = {
+    custom_settings_by_resource_type = {
+      azurerm_virtual_network_gateway = {
+        connectivity_vpn = {
+          (var.location) = {
+            generation = "Generation1"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+### Telemetry resources
+
+This release includes additional resources relating to telemetry.
+For more information, please refer to the [Telemetry](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/README.md#telemetry) guidance for more information.
+
+### :rocket: Advanced configuration
+
+Although not documented, we are aware that a number of customers have already worked out how to use the `advanced` configuration blocks within `configure_connectivity_resources` and `configure_management_resources`
+
+:warning: This release brings a number of breaking changes to this functionality which must be carefully reviewed when upgrading from the previous release.
+
+The following table outlines the changes which must be considered.
+These are all within the scope of `configure_connectivity_resources.advanced.custom_settings_by_resource_type` (_which will be excluded from the attribute path for brevity_).
+
+> These changes only effect `hub_networks` resources.
+
+#### ExpressRoute Gateway resources
+
+| `v1.1.4` advanced object path | `v2.0.0` advanced object path |
+| :--- | :--- |
+| `azurerm_virtual_network_gateway["expressroute"][location].name` | `azurerm_virtual_network_gateway["connectivity_expressroute"][location].name` |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].ip_configuration` | `azurerm_virtual_network_gateway["connectivity_expressroute"][location].ip_configuration` |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].vpn_type` | _removed as not applicable to ExpressRoute SKUs_ |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].enable_bgp` | _removed as not applicable to ExpressRoute SKUs_ |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].active_active` | _removed as not applicable to ExpressRoute SKUs_ |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].private_ip_address_enabled` | _removed as not applicable to ExpressRoute SKUs_ |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].default_local_network_gateway_id` | _removed as not applicable to ExpressRoute SKUs_ |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].generation` | _removed as not applicable to ExpressRoute SKUs_ |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].vpn_client_configuration` | _removed as not applicable to ExpressRoute SKUs_ |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].bgp_settings` | _removed as not applicable to ExpressRoute SKUs_ |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].custom_route` | _removed as not applicable to ExpressRoute SKUs_ |
+| `azurerm_virtual_network_gateway["connectivity"]["ergw"][location].tags` | `azurerm_virtual_network_gateway["connectivity_expressroute"][location].tags` |
+| `azurerm_public_ip["connectivity"]["ergw"][location].*` | `azurerm_public_ip["connectivity_expressroute"][location].*` |
+
+#### VPN Gateway resources
+
+| `v1.1.4` advanced object path | `v2.0.0` advanced object path |
+| :--- | :--- |
+| `azurerm_virtual_network_gateway["vpn"][location].name` | `azurerm_virtual_network_gateway["connectivity_vpn"][location].name` |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].ip_configuration` | `azurerm_virtual_network_gateway["connectivity_vpn"][location].ip_configuration` |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].vpn_type` | `azurerm_virtual_network_gateway["connectivity_vpn"][location].vpn_type` |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].enable_bgp` | _moved to new_ `advanced_vpn_settings` _object_ |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].active_active` | _moved to new_ `advanced_vpn_settings` _object_ |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].private_ip_address_enabled` | _determined by_ `private_ip_address_allocation` _setting in new_ `advanced_vpn_settings` _object_ |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].default_local_network_gateway_id` | _moved to new_ `advanced_vpn_settings` _object_ |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].generation` | `azurerm_virtual_network_gateway["connectivity_vpn"][location].generation` |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].vpn_client_configuration` | _moved to new_ `advanced_vpn_settings` _object_ |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].bgp_settings` | _moved to new_ `advanced_vpn_settings` _object_ |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].custom_route` | _moved to new_ `advanced_vpn_settings` _object_ |
+| `azurerm_virtual_network_gateway["connectivity"]["vpngw"][location].tags` | `azurerm_virtual_network_gateway["connectivity_vpn"][location].tags` |
+| `azurerm_public_ip["connectivity"]["vpngw"][location].*` | `azurerm_public_ip["connectivity_vpn"][location].*` |
+
+#### Azure Firewall resources
+
+| `v1.1.4` advanced object path | `v2.0.0` advanced object path |
+| :--- | :--- |
+| `azurerm_public_ip["connectivity"]["azfw"][location].*` | `azurerm_public_ip["connectivity_firewall"][location].*` |
+
+> **NOTE:** In addition to the above, some new settings were added to advanced to enable resource names to be updated which could not be changed previously, but these are not documented here as would not result in a breaking change.
+
+## Next steps
+
+Take a look at the latest [User Guide](./User-Guide) documentation and our [Examples](./Examples) to understand the latest module configuration options, and review your implementation against the changes documented on this page.
+
+## Need help?
+
+If you're running into problems with the upgrade, please let us know via the [GitHub Issues](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues).
+We will do our best to point you in the right direction.
+
+[//]: # "************************"
+[//]: # "INSERT LINK LABELS BELOW"
+[//]: # "************************"
+
+[terraform-registry-caf-enterprise-scale]: https://registry.terraform.io/modules/Azure/caf-enterprise-scale/azurerm/latest "Terraform Registry: Azure landing zones Terraform module"
diff --git a/docs/wiki/[Variables]-configure_connectivity_resources.md b/docs/wiki/[Variables]-configure_connectivity_resources.md
index f42b4f4ab..2cab4313d 100644
--- a/docs/wiki/[Variables]-configure_connectivity_resources.md
+++ b/docs/wiki/[Variables]-configure_connectivity_resources.md
@@ -25,15 +25,28 @@ If specified, will customize the "Connectivity" landing zone settings and resour
               address_prefix           = "10.100.1.0/24"
               gateway_sku_expressroute = "ErGw2AZ"
               gateway_sku_vpn          = "VpnGw3"
+              advanced_vpn_settings = {
+                enable_bgp                       = null
+                active_active                    = null
+                private_ip_address_allocation    = ""
+                default_local_network_gateway_id = ""
+                vpn_client_configuration         = []
+                bgp_settings                     = []
+                custom_route                     = []
+              }
             }
           }
           azure_firewall = {
             enabled = false
             config = {
-              address_prefix   = "10.100.0.0/24"
-              enable_dns_proxy = true
-              dns_servers      = []
-              sku_tier         = ""
+              address_prefix                = "10.100.0.0/24"
+              enable_dns_proxy              = true
+              dns_servers                   = []
+              sku_tier                      = ""
+              base_policy_id                = ""
+              private_ip_ranges             = []
+              threat_intelligence_mode      = ""
+              threat_intelligence_allowlist = []
               availability_zones = {
                 zone_1 = true
                 zone_2 = true
@@ -141,18 +154,69 @@ object({
           virtual_network_gateway = object({
             enabled = bool
             config = object({
-              address_prefix           = string
-              gateway_sku_expressroute = string
-              gateway_sku_vpn          = string
+              address_prefix           = string # Only support adding a single address prefix for GatewaySubnet subnet
+              gateway_sku_expressroute = string # If specified, will deploy the ExpressRoute gateway into the GatewaySubnet subnet
+              gateway_sku_vpn          = string # If specified, will deploy the VPN gateway into the GatewaySubnet subnet
+              advanced_vpn_settings = object({
+                enable_bgp                       = bool
+                active_active                    = bool
+                private_ip_address_allocation    = string # Valid options are "", "Static" or "Dynamic". Will set `private_ip_address_enabled` and `private_ip_address_allocation` as needed.
+                default_local_network_gateway_id = string
+                vpn_client_configuration = list(
+                  object({
+                    address_space = list(string)
+                    aad_tenant    = string
+                    aad_audience  = string
+                    aad_issuer    = string
+                    root_certificate = list(
+                      object({
+                        name             = string
+                        public_cert_data = string
+                      })
+                    )
+                    revoked_certificate = list(
+                      object({
+                        name             = string
+                        public_cert_data = string
+                      })
+                    )
+                    radius_server_address = string
+                    radius_server_secret  = string
+                    vpn_client_protocols  = list(string)
+                    vpn_auth_types        = list(string)
+                  })
+                )
+                bgp_settings = list(
+                  object({
+                    asn         = number
+                    peer_weight = number
+                    peering_addresses = list(
+                      object({
+                        ip_configuration_name = string
+                        apipa_addresses       = list(string)
+                      })
+                    )
+                  })
+                )
+                custom_route = list(
+                  object({
+                    address_prefixes = list(string)
+                  })
+                )
+              })
             })
           })
           azure_firewall = object({
             enabled = bool
             config = object({
-              address_prefix   = string
-              enable_dns_proxy = bool
-              dns_servers      = []
-              sku_tier         = ""
+              address_prefix                = string # Only support adding a single address prefix for AzureFirewallManagementSubnet subnet
+              enable_dns_proxy              = bool
+              dns_servers                   = list(string)
+              sku_tier                      = string
+              base_policy_id                = string
+              private_ip_ranges             = list(string)
+              threat_intelligence_mode      = string
+              threat_intelligence_allowlist = list(string)
               availability_zones = object({
                 zone_1 = bool
                 zone_2 = bool
@@ -165,7 +229,70 @@ object({
         })
       })
     )
-    vwan_hub_networks = list(object({}))
+    vwan_hub_networks = list(
+      object({
+        enabled = bool
+        config = object({
+          address_prefix = string
+          location       = string
+          sku            = string
+          routes = list(
+            object({
+              address_prefixes    = list(string)
+              next_hop_ip_address = string
+            })
+          )
+          expressroute_gateway = object({
+            enabled = bool
+            config = object({
+              scale_unit = number
+            })
+          })
+          vpn_gateway = object({
+            enabled = bool
+            config = object({
+              bgp_settings = list(
+                object({
+                  asn         = number
+                  peer_weight = number
+                  instance_0_bgp_peering_address = list(
+                    object({
+                      custom_ips = list(string)
+                    })
+                  )
+                  instance_1_bgp_peering_address = list(
+                    object({
+                      custom_ips = list(string)
+                    })
+                  )
+                })
+              )
+              routing_preference = string
+              scale_unit         = number
+            })
+          })
+          azure_firewall = object({
+            enabled = bool
+            config = object({
+              enable_dns_proxy              = bool
+              dns_servers                   = list(string)
+              sku_tier                      = string
+              base_policy_id                = string
+              private_ip_ranges             = list(string)
+              threat_intelligence_mode      = string
+              threat_intelligence_allowlist = list(string)
+              availability_zones = object({
+                zone_1 = bool
+                zone_2 = bool
+                zone_3 = bool
+              })
+            })
+          })
+          spoke_virtual_network_resource_ids = list(string)
+          enable_virtual_hub_connections     = bool
+        })
+      })
+    )
     ddos_protection_plan = object({
       enabled = bool
       config = object({
@@ -238,13 +365,13 @@ object({
 Configure resources for the `connectivity` Landing Zone, including:
 
 - Hub network(s) for a traditional hub and spoke network topology.
-- Hub network(s) for an Azure Virtual WAN network topology (_coming soon_).
+- Hub network(s) for an Azure Virtual WAN network topology.
 - DDoS Protection Plan.
 - Public and private Azure DNS zones, including DNS for Private Endpoints.
 
 ### Configure hub networks (Hub and Spoke)
 
-Define zero or more hub networks as a list of objects, each containing configuration values covering an Address Space, DDOS Protection Plan, DNS Servers, BGP community, Subnets, Virtual Network Gateway, Azure Firewall, Spoke Virtual Network resources and Outbound VIrtual Network Peering.
+Define zero or more hub networks as a list of objects, each containing configuration values covering an address space, DDOS protection plan, DNS servers, BGP community, subnets, virtual network gateway, Azure firewall, spoke virtual network resources and outbound virtual network peering.
 
 ```hcl
 hub_networks = [
@@ -263,15 +390,28 @@ hub_networks = [
           address_prefix           = "10.100.1.0/24"
           gateway_sku_expressroute = "ErGw2AZ"
           gateway_sku_vpn          = "VpnGw3"
+          advanced_vpn_settings = {
+            enable_bgp                       = null
+            active_active                    = null
+            private_ip_address_allocation    = ""
+            default_local_network_gateway_id = ""
+            vpn_client_configuration         = []
+            bgp_settings                     = []
+            custom_route                     = []
+          }
         }
       }
       azure_firewall = {
         enabled = false
         config = {
-          address_prefix   = "10.100.0.0/24"
-          enable_dns_proxy = true
-          dns_servers      = []
-          sku_tier         = ""
+          address_prefix                = "10.100.0.0/24"
+          enable_dns_proxy              = true
+          dns_servers                   = []
+          sku_tier                      = ""
+          base_policy_id                = ""
+          private_ip_ranges             = []
+          threat_intelligence_mode      = ""
+          threat_intelligence_allowlist = []
           availability_zones = {
             zone_1 = true
             zone_2 = true
@@ -282,7 +422,7 @@ hub_networks = [
       spoke_virtual_network_resource_ids      = []
       enable_outbound_virtual_network_peering = false
     }
-  }
+  },
 ]
 ```
 
@@ -348,7 +488,7 @@ Changing this forces a new resource to be created.
 - Should not be one of the following which are created automatically be the module as required:
   - `GatewaySubnet`
   - `AzureFirewallSubnet`
-  
+
 ###### `settings.hub_networks[].config.subnets[].address_prefixes`
 
 The address prefixes to use for the subnet.
@@ -398,13 +538,60 @@ object({
     address_prefix           = string
     gateway_sku_expressroute = string
     gateway_sku_vpn          = string
+    advanced_vpn_settings = object({
+      enable_bgp                       = bool
+      active_active                    = bool
+      private_ip_address_allocation    = string
+      default_local_network_gateway_id = string
+      vpn_client_configuration = list(
+        object({
+          address_space = list(string)
+          aad_tenant    = string
+          aad_audience  = string
+          aad_issuer    = string
+          root_certificate = list(
+            object({
+              name             = string
+              public_cert_data = string
+            })
+          )
+          revoked_certificate = list(
+            object({
+              name             = string
+              public_cert_data = string
+            })
+          )
+          radius_server_address = string
+          radius_server_secret  = string
+          vpn_client_protocols  = list(string)
+          vpn_auth_types        = list(string)
+        })
+      )
+      bgp_settings = list(
+        object({
+          asn         = number
+          peer_weight = number
+          peering_addresses = list(
+            object({
+              ip_configuration_name = string
+              apipa_addresses       = list(string)
+            })
+          )
+        })
+      )
+      custom_route = list(
+        object({
+          address_prefixes = list(string)
+        })
+      )
+    })
   })
 })
 ```
 
 ###### `settings.hub_networks[].config.subnets[].virtual_network_gateway.enabled`
 
-The `enable` (`bool`) input allows you to toggle whether to create the `virtual_network_gateway` resources based on the values specified in the `config` (`object()`), as documented below.
+The `enabled` (`bool`) input allows you to toggle whether to create the `virtual_network_gateway` resources based on the values specified in the `config` (`object()`), as documented below.
 
 ###### `settings.hub_networks[].config.subnets[].virtual_network_gateway.config.address_prefix`
 
@@ -433,6 +620,19 @@ The SKU value will automatically determine whether the VPN Gateway and dependant
 > **NOTE**: Take care to ensure you specify a SKU supported by the location specified in the hub network configuration.
 > For example, locations without support for Availability Zones do not support SKUs for zonal gateways.
 
+###### settings.hub_networks[].config.subnets[].virtual_network_gateway.advanced_vpn_settings`
+
+Allows you to specify the VPN configuration for the virtual network gateway.
+The settings map to the [`azurerm_virtual_network_gateway`][azurerm_virtual_network_gateway] resource in the Azure provider.
+
+**`settings.hub_networks[].config.subnets[].virtual_network_gateway.advanced_vpn_settings.enable_bgp`**
+
+If `true`, BGP (Border Gateway Protocol) will be enabled for this virtual network gateway.
+
+**`settings.hub_networks[].config.subnets[].virtual_network_gateway.advanced_vpn_settings.active_active`**
+
+If `true`, an active-active virtual network gateway will be created. An active-active gateway requires a `HighPerformance` or an `UltraPerformance` sku. If false, an active-standby gateway will be created.
+
 ##### `settings.hub_networks[].config.azure_firewall`
 
 Allows you to create and configure an Azure Firewall in the hub network.
@@ -535,7 +735,117 @@ List of [Azure] resource IDs used to identify spoke Virtual Networks associated
 
 ### Configure hub networks (Virtual WAN)
 
-_Not implemented yet, coming soon._
+Define zero or more VWAN hub networks as a list of objects, each containing configuration values covering an address space, expressroute gateway, vpn gateway and Azure firewall.
+
+```terraform
+vwan_hub_networks = [
+  {
+    enabled = true
+    config = {
+      address_prefix = "10.0.0.0/23"
+      location       = "westeurope"
+      sku            = "Standard"
+      routes = [
+        {
+          address_prefixes = [
+            "192.168.0.0/16"
+          ]
+          next_hop_ip_address = "10.0.1.4"
+        }
+      ]
+      expressroute_gateway {
+        enabled = true
+        config = {
+          scale_unit = 1
+        }
+      }
+      vpn_gateway = {
+        enabled = true
+        config = {
+          bgp_settings = [
+            {
+              asn         = 12345
+              peer_weight = 10
+              instance_0_bgp_peering_address = [
+                {
+                  custom_ips = [
+                    ""
+                  ]
+                }
+              ]
+              instance_1_bgp_peering_address = [
+                {
+                  custom_ips = [
+                    ""
+                  ]
+                }
+              ]
+            }
+          ]
+          routing_preference = "Microsoft Network"
+          scale_unit         = 1
+        }
+      }
+      azure_firewall = {
+        enabled = true
+        config = {
+          enable_dns_proxy = true
+          dns_servers      = []
+          sku_tier         = "Standard"
+        }
+      }
+      spoke_virtual_network_resource_ids = [
+        ""
+      ]
+      enable_virtual_hub_connections     = true
+    }
+  }
+]
+```
+
+#### `settings.vwan_hub_networks[].enable`
+
+The `enable` (`bool`) input allows you to toggle whether to create this VWAN hub network instance, including all associated resources. Set to `false` if you want to toggle individual hub network instances without removing the full configuration.
+
+#### `settings.vwan_hub_networks[].config`
+
+The `config` (`object`) input allows you to set the following configuration items for each VWAN hub network:
+
+##### `settings.vwan_hub_networks[].config.address_prefix`
+
+The Address Prefix which should be used for this Virtual Hub.
+The address prefix subnet cannot be smaller than a /24.
+We recommend using a /23.
+
+E.g. `10.0.0.0/23`
+
+##### `settings.vwan_hub_networks[].config.location`
+
+Set the location/region where the hub network and associated resources are created.
+Changing this forces new resources to be created.
+By default, a `vwan_hub_network` with an empty value in the `location` field will be deployed to the location inherited from either `configure_connectivity_resources.location`, or the top-level variable `default_location`, in order of precedence.
+
+##### `settings.vwan_hub_networks[].config.sku`
+
+Set the [SKU](https://docs.microsoft.com/azure/virtual-wan/virtual-wan-about#basicstandard) of the VWAN hub.
+Allowed values are  `Basic` and `Standard`.
+
+##### `settings.vwan_hub_networks[].config.routes[]`
+
+A list of route objects used to define static routes for this virtual hub.
+An empty list will result in no static routes being created.
+
+###### `settings.vwan_hub_networks[].config.routes[].address_prefixes[]`
+
+A list of address prefixes to be used for the route.
+
+E.g. `192.168.0.0/16`
+
+###### `settings.vwan_hub_networks[].config.routes[].next_hop_ip_address`
+
+The IP address of the next hop for the route.
+
+e.g. `10.0.1.4`
 
 ### Configure DDoS Protection Plan
 
@@ -624,3 +934,4 @@ Optionally enable DNS resources for Private Link Services, Private DNS zones and
 
 [virtual_network_gateway_sku]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_gateway#sku "Supported SKUs for the virtual_network_gateway resource."
 [azfw_policy_rule_hierarchy]: https://docs.microsoft.com/azure/firewall-manager/rule-hierarchy "Use Azure Firewall policy to define a rule hierarchy."
+[azurerm_virtual_network_gateway]: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_gateway
diff --git a/docs/wiki/[Variables]-disable_telemetry.md b/docs/wiki/[Variables]-disable_telemetry.md
index 176290c68..dc97ef808 100644
--- a/docs/wiki/[Variables]-disable_telemetry.md
+++ b/docs/wiki/[Variables]-disable_telemetry.md
@@ -2,7 +2,7 @@
 
 [**disable_telemetry**](#overview) `bool` (optional)
 
-> Telemetry tracking was added to release `1.2.0` of the module
+> Telemetry was added to release `2.0.0` of the module
 
 Microsoft can identify the deployments of this module with the deployed Azure resources.
 Microsoft can correlate these resources used to support the deployments.
@@ -20,7 +20,7 @@ For example, to disable telemetry tracking, you can add this variable to the mod
 ```terraform
 module "enterprise_scale" {
   source  = "Azure/caf-enterprise-scale/azurerm"
-  version = "1.2.0"
+  version = "2.0.0"
 
   disable_telemetry = true
 }
@@ -110,7 +110,7 @@ The four deployments expose high level feature configuration as described in the
 
 Taking the following example from the `core` module:
 
-`pid-36dcde81-8c33-4da0-8dc3-265381502ccb-v1.2.0-000b-83a3fc`
+`pid-36dcde81-8c33-4da0-8dc3-265381502ccb-v2.0.0-000b-83a3fc`
 
 The bit field value is `000b`, which is hexadecimal.
 In binary `000b` hexadecimal is represented as `0000000000001011`.
diff --git a/docs/wiki/_Sidebar.md b/docs/wiki/_Sidebar.md
index 32c1c8bc8..3deb8f01c 100644
--- a/docs/wiki/_Sidebar.md
+++ b/docs/wiki/_Sidebar.md
@@ -1,6 +1,6 @@
 ![caf-enterprise-scale](media/azure.svg)
 
-## Terraform Module for Cloud Adoption Framework Enterprise-scale
+## Azure landing zones Terraform module
 
 - [Home][wiki_home]
 - [User Guide][wiki_user_guide]
@@ -39,6 +39,7 @@
   - [Contributing to Code][wiki_contributing_to_code]
   - [Contributing to Documentation][wiki_contributing_to_documentation]
 - [Upgrade Guides][wiki_upgrade_from_v0_4_0_to_v1_0_0]
+  - [Upgrade from v1.1.4 to v2.0.0][wiki_upgrade_from_v1_1_4_to_v2_0_0]
   - [Upgrade from v0.4.0 to v1.0.0][wiki_upgrade_from_v0_4_0_to_v1_0_0]
   - [Upgrade from v0.3.3 to v0.4.0][wiki_upgrade_from_v0_3_3_to_v0_4_0]
   - [Upgrade from v0.1.2 to v0.2.0][wiki_upgrade_from_v0_1_2_to_v0_2_0]
@@ -63,6 +64,7 @@
 [wiki_upgrade_from_v0_1_2_to_v0_2_0]:         ./%5BUser-Guide%5D-Upgrade-from-v0.1.2-to-v0.2.0 "Wiki - Upgrade from v0.1.2 to v0.2.0"
 [wiki_upgrade_from_v0_3_3_to_v0_4_0]:         ./%5BUser-Guide%5D-Upgrade-from-v0.3.3-to-v0.4.0 "Wiki - Upgrade from v0.3.3 to v0.4.0"
 [wiki_upgrade_from_v0_4_0_to_v1_0_0]:         ./%5BUser-Guide%5D-Upgrade-from-v0.4.0-to-v1.0.0 "Wiki - Upgrade from v0.4.0 to v1.0.0"
+[wiki_upgrade_from_v1_1_4_to_v2_0_0]:         ./%5BUser-Guide%5D-Upgrade-from-v1.1.4-to-v2.0.0 "Wiki - Upgrade from v1.1.4 to v2.0.0"
 [wiki_examples]:                              ./Examples "Wiki - Examples"
 [wiki_examples_level_100]:                    ./Examples#advanced-level-100 "Wiki - Examples"
 [wiki_examples_level_200]:                    ./Examples#advanced-level-200 "Wiki - Examples"
diff --git a/locals.version.tf b/locals.version.tf
index 330983b30..eadb0b936 100644
--- a/locals.version.tf
+++ b/locals.version.tf
@@ -1,3 +1,3 @@
 locals {
-  module_version = "v1.1.4"
+  module_version = "v2.0.0"
 }
diff --git a/tests/README.md b/tests/README.md
index 742691ce8..6e9674c66 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -1,4 +1,4 @@
-# Test Framework for the Terraform Module for Cloud Adoption Framework Enterprise-scale
+# Test Framework for the Azure landing zones Terraform module
 
 This folder contains code relating to the test framework for this module.
 Testing is currently performed in the following stages:
diff --git a/tests/opa/policy/readme.md b/tests/opa/policy/readme.md
index 3e2e0fa95..1bd2c069d 100644
--- a/tests/opa/policy/readme.md
+++ b/tests/opa/policy/readme.md
@@ -1,6 +1,6 @@
-# Test suite for CAF Terraform Module
+# Test suite for Azure landing zones Terraform module
 
-The CAF Terraform Module is able to deploy different groups of resources depending on the selected options. The module also requires a minimum AzureRM provider version of `v3.0.2` and it is compatible with a selection of Terraform versions, as described in the module's official wiki page.
+The Azure landing zones Terraform module is able to deploy different groups of resources depending on the selected options. The module also requires a minimum AzureRM provider version of `v3.0.2` and it is compatible with a selection of Terraform versions, as described in the module's official wiki page.
 
 [Open Policy Agent](https://www.openpolicyagent.org/docs/latest) is an open source, general-purpose policy engine that unifies policy enforcement across the stack.
 
diff --git a/tests/scripts/opa-values-generator.ps1 b/tests/scripts/opa-values-generator.ps1
index cb4fe255c..3f4ab0782 100644
--- a/tests/scripts/opa-values-generator.ps1
+++ b/tests/scripts/opa-values-generator.ps1
@@ -17,7 +17,7 @@ param (
 # #* Update the path to run the tests on a different folder (example: ../deployment_2)
 # #* Copy paste the variables.tf file from deployment folder and adjust your main.tf
 ###############################################
-# #* Path of the tested _es terraform module
+# #* Path of the tested Terraform module
 $BASE_PATH = $(Get-Location).Path
 $MODULE_PATHS = @(
     "$($BASE_PATH)/../modules/test_001_baseline"