diff --git a/kit/azure/aviatrix/README.md b/kit/azure/aviatrix/README.md
new file mode 100644
index 00000000..6defe786
--- /dev/null
+++ b/kit/azure/aviatrix/README.md
@@ -0,0 +1,64 @@
+---
+name: Azure Aviatrix
+summary: |
+  Set
+compliance:
+  - control: cfmm/cost-management/monthly-cloud-tenant-billing-report
+    statement: |
+      Enables
+  - control: cfmm/cost-management/billing-alerts
+    statement: |
+      Sets
+---
+
+# Azure Aviatrix
+
+Aviatrix
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.46.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.81.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
+| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
+| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
+| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource |
+| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
+| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
+| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_allowed_user_group_id"></a> [allowed\_user\_group\_id](#input\_allowed\_user\_group\_id) | id of the authorized id which can do changes | `list(string)` | n/a | yes |
+| <a name="input_location"></a> [location](#input\_location) | The Azure location used for creating policy assignments establishing this landing zone's guardrails. | `string` | n/a | yes |
+| <a name="input_parent_management_group"></a> [parent\_management\_group](#input\_parent\_management\_group) | id of the tenant management group | `string` | n/a | yes |
+| <a name="input_service_principal_name"></a> [service\_principal\_name](#input\_service\_principal\_name) | id of the tenant management group | `string` | `"avaitrix_deploy_spn"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_aviatrix_service_principal"></a> [aviatrix\_service\_principal](#output\_aviatrix\_service\_principal) | n/a |
+| <a name="output_client_id"></a> [client\_id](#output\_client\_id) | n/a |
+| <a name="output_client_principal_id"></a> [client\_principal\_id](#output\_client\_principal\_id) | n/a |
+| <a name="output_client_secret"></a> [client\_secret](#output\_client\_secret) | n/a |
+| <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/kit/azure/aviatrix/aviatrix.spn.tf b/kit/azure/aviatrix/aviatrix.spn.tf
new file mode 100644
index 00000000..edb25394
--- /dev/null
+++ b/kit/azure/aviatrix/aviatrix.spn.tf
@@ -0,0 +1,127 @@
+resource "azurerm_role_definition" "aviatrix_deploy" {
+  name        = var.service_principal_name
+  scope       = var.parent_management_group
+  description = "Permissions required to deploy the avaitrix"
+
+  permissions {
+    actions = [
+      #https://docs.aviatrix.com/documentation/latest/accounts-and-users/custom-role-azure.html?expand=true
+      "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/*",
+      "Microsoft.Compute/*/read",
+      "Microsoft.Compute/availabilitySets/*",
+      "Microsoft.Compute/virtualMachines/*",
+      "Microsoft.Network/*/read",
+      "Microsoft.Network/publicIPAddresses/*",
+      "Microsoft.Network/networkInterfaces/*",
+      "Microsoft.Network/networkSecurityGroups/*",
+      "Microsoft.Network/loadBalancers/*",
+      "Microsoft.Network/routeTables/*",
+      "Microsoft.Network/virtualNetworks/*",
+      "Microsoft.Storage/storageAccounts/*",
+      "Microsoft.Resources/*/read",
+      "Microsoft.Resourcehealth/healthevent/*",
+      "Microsoft.Resources/deployments/*",
+      "Microsoft.Resources/tags/*",
+      "Microsoft.Resources/marketplace/purchase/action",
+      "Microsoft.Resources/subscriptions/resourceGroups/*"
+    ]
+  }
+
+  assignable_scopes = [
+    var.parent_management_group
+  ]
+}
+
+data "azuread_application_published_app_ids" "well_known" {}
+
+data "azuread_service_principal" "msgraph" {
+  client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+}
+
+resource "azuread_application" "aviatrix_deploy" {
+  display_name = var.service_principal_name
+
+  web {
+    implicit_grant {
+      access_token_issuance_enabled = false
+    }
+  }
+  required_resource_access {
+    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+
+    resource_access {
+      id   = data.azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
+      type = "Role"
+    }
+    resource_access {
+      id   = data.azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"]
+      type = "Role"
+    }
+    resource_access {
+      id   = data.azuread_service_principal.msgraph.app_role_ids["AppRoleAssignment.ReadWrite.All"]
+      type = "Role"
+    }
+
+    resource_access {
+      id   = data.azuread_service_principal.msgraph.app_role_ids["Application.ReadWrite.All"]
+      type = "Role"
+    }
+  }
+
+  # NOTE: currently it is not possible to automate the "Grant admin consent button"
+  # https://github.com/terraform-providers/terraform-provider-azuread/issues/33
+  # As a result we have to ignore this value in terraform for now
+  # In addition please keep in mind you have to grant admin consent manually
+  lifecycle {
+    ignore_changes = [
+      app_role
+    ]
+  }
+}
+
+resource "azuread_service_principal" "aviatrix_deploy" {
+  client_id = azuread_application.aviatrix_deploy.client_id
+  # The following tags are needed to create an Enterprise Application
+  # See https://github.com/hashicorp/terraform-provider-azuread/issues/7#issuecomment-529597534
+  tags = [
+    "WindowsAzureActiveDirectoryIntegratedApp",
+  ]
+}
+
+resource "azurerm_role_assignment" "aviatrix_deploy" {
+  scope              = var.parent_management_group
+  role_definition_id = azurerm_role_definition.aviatrix_deploy.role_definition_resource_id
+  principal_id       = azuread_service_principal.aviatrix_deploy.id
+}
+
+resource "azuread_app_role_assignment" "aviatrix_deploy-directory" {
+  app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
+  principal_object_id = azuread_service_principal.aviatrix_deploy.object_id
+  resource_object_id  = data.azuread_service_principal.msgraph.object_id
+}
+# This azuread_app_role_assignment is necessary if you want to manage groups through Terraform.
+# Productive use in a cloud foundation should probably manage groups not via Terraform but
+# via existing IAM processes, but this is a good lean start.
+# resource "azuread_app_role_assignment" "aviatrix_deploy-group" {
+#   app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["Group.ReadWrite.All"]
+#   principal_object_id = azuread_service_principal.aviatrix_deploy.object_id
+#   resource_object_id  = data.azuread_service_principal.msgraph.object_id
+# }
+
+resource "azuread_app_role_assignment" "aviatrix_deploy-approle" {
+  app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["AppRoleAssignment.ReadWrite.All"]
+  principal_object_id = azuread_service_principal.aviatrix_deploy.object_id
+  resource_object_id  = data.azuread_service_principal.msgraph.object_id
+}
+
+# note this requires the terraform to be run regularly
+resource "time_rotating" "key_rotation" {
+  rotation_days = 365
+}
+
+resource "azuread_application_password" "aviatrix_deploy" {
+  application_id = azuread_application.aviatrix_deploy.id
+  rotate_when_changed = {
+    rotation = time_rotating.key_rotation.id
+  }
+}
diff --git a/kit/azure/aviatrix/documentation.tf b/kit/azure/aviatrix/documentation.tf
new file mode 100644
index 00000000..a50f3e64
--- /dev/null
+++ b/kit/azure/aviatrix/documentation.tf
@@ -0,0 +1,6 @@
+output "documentation_md" {
+  value = <<EOF
+# Aviatrix
+
+EOF
+}
diff --git a/kit/azure/aviatrix/outputs.tf b/kit/azure/aviatrix/outputs.tf
new file mode 100644
index 00000000..b31c4a73
--- /dev/null
+++ b/kit/azure/aviatrix/outputs.tf
@@ -0,0 +1,16 @@
+output "client_id" {
+  value = azuread_service_principal.aviatrix_deploy.client_id
+}
+
+output "client_secret" {
+  value     = azuread_application_password.aviatrix_deploy.value
+  sensitive = true
+}
+
+output "client_principal_id" {
+  value = azuread_service_principal.aviatrix_deploy.id
+}
+
+output "aviatrix_service_principal" {
+  value = azuread_application.aviatrix_deploy.display_name
+}
diff --git a/kit/azure/aviatrix/template/platform-module/terragrunt.hcl b/kit/azure/aviatrix/template/platform-module/terragrunt.hcl
new file mode 100644
index 00000000..b5565baf
--- /dev/null
+++ b/kit/azure/aviatrix/template/platform-module/terragrunt.hcl
@@ -0,0 +1,40 @@
+include "platform" {
+  path   = find_in_parent_folders("platform.hcl")
+  expose = true
+}
+
+terraform {
+  source = "${get_repo_root()}//kit/azure/aviatrix"
+}
+
+dependency "bootstrap" {
+  config_path = "../bootstrap"
+}
+
+dependency "organization-hierarchy" {
+  config_path = "../organization-hierarchy"
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite"
+  contents  = <<EOF
+provider "azurerm" {
+  features {}
+  skip_provider_registration = true
+  tenant_id       = "${include.platform.locals.platform.azure.aadTenantId}"
+  subscription_id = "${include.platform.locals.platform.azure.subscriptionId}"
+}
+
+provider "azuread" {
+  tenant_id       = "${include.platform.locals.platform.azure.aadTenantId}"
+}
+EOF
+}
+
+inputs = {
+  # todo: set input variables
+  parent_management_group = "${dependency.organization-hierarchy.outputs.landingzones_id}"
+  allowed_user_group_id   = ["${dependency.bootstrap.outputs.platform_engineers_azuread_group_id}"]
+  location                = "${try(include.platform.locals.tfstateconfig.location, "could not read location from stateconfig. configure it explicitly")}"
+}
diff --git a/kit/azure/aviatrix/variables.tf b/kit/azure/aviatrix/variables.tf
new file mode 100644
index 00000000..f64d10ca
--- /dev/null
+++ b/kit/azure/aviatrix/variables.tf
@@ -0,0 +1,23 @@
+variable "parent_management_group" {
+  type        = string
+  nullable    = false
+  description = "id of the tenant management group"
+}
+
+variable "service_principal_name" {
+  type        = string
+  nullable    = false
+  default     = "avaitrix_deploy_spn"
+  description = "id of the tenant management group"
+}
+
+variable "allowed_user_group_id" {
+  type        = list(string)
+  nullable    = false
+  description = "id of the authorized id which can do changes"
+}
+
+variable "location" {
+  type        = string
+  description = "The Azure location used for creating policy assignments establishing this landing zone's guardrails."
+}
diff --git a/kit/azure/aviatrix/versions.tf b/kit/azure/aviatrix/versions.tf
new file mode 100644
index 00000000..4da6ddd1
--- /dev/null
+++ b/kit/azure/aviatrix/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.81.0"
+    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 2.46.0"
+    }
+  }
+}
diff --git a/kit/azure/bootstrap/README.md b/kit/azure/bootstrap/README.md
index 515f7ccf..98f9651d 100644
--- a/kit/azure/bootstrap/README.md
+++ b/kit/azure/bootstrap/README.md
@@ -121,7 +121,7 @@ collie foundation deploy --bootstrap -- destroy
 |------|-------------|------|---------|:--------:|
 | <a name="input_aad_tenant_id"></a> [aad\_tenant\_id](#input\_aad\_tenant\_id) | Id of the AAD Tenant. This is also the simultaneously the id of the root management group. | `string` | n/a | yes |
 | <a name="input_documentation_uami"></a> [documentation\_uami](#input\_documentation\_uami) | read-only UAMI with access to terraform states to generate documentation in CI pipelines | <pre>object({<br>    name = string<br>    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373<br>    oidc_subject = string<br>  })</pre> | `null` | no |
-| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | This object contains configuration details for setting up a key vault. | <pre>object({<br>    name                = string,<br>    resource_group_name = string<br>  })</pre> | <pre>{<br>  "name": "cloudfoundation-kv",<br>  "resource_group_name": "cloudfoundation-keyvault"<br>}</pre> | no |
+| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | This object contains configuration details for setting up a key vault. | <pre>object({<br>    name                = string,<br>    resource_group_name = string<br>  })</pre> | <pre>{<br>  "name": "cloudfoundation-kv",<br>  "resource_group_name": "cloudfoundation-rg"<br>}</pre> | no |
 | <a name="input_parent_management_group_name"></a> [parent\_management\_group\_name](#input\_parent\_management\_group\_name) | Name of the management group you want to use as parent for your foundation. | `string` | n/a | yes |
 | <a name="input_platform_engineers_group"></a> [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | `"cloudfoundation-platform-engineers"` | no |
 | <a name="input_platform_engineers_members"></a> [platform\_engineers\_members](#input\_platform\_engineers\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage | <pre>list(object({<br>    email = string,<br>    upn   = string,<br>  }))</pre> | n/a | yes |
diff --git a/kit/azure/bootstrap/template/platform-module/terragrunt.hcl b/kit/azure/bootstrap/template/platform-module/terragrunt.hcl
index d74e828a..1a9fad0e 100644
--- a/kit/azure/bootstrap/template/platform-module/terragrunt.hcl
+++ b/kit/azure/bootstrap/template/platform-module/terragrunt.hcl
@@ -37,8 +37,7 @@ EOF
 }
 
 inputs = {
-  aad_tenant_id                = include.platform.locals.platform.azure.aadTenantId
-  parent_management_group_name = "cloudfoundation-management-group" #TODO the cloudfoundation is created in a separate management group so as not to jeopardize the existing infrastructure
+  aad_tenant_id = include.platform.locals.platform.azure.aadTenantId
 
   terraform_state_storage = {
     name             = "${include.platform.locals.cloudfoundation.name}"
@@ -53,8 +52,8 @@ inputs = {
     }
   ]
   key_vault = {
-    name                = "cloudfoundation-kv"
-    resource_group_name = "cloudfoundation-keyvault"
+    name                = "likvid-cloudfoundation-kv"
+    resource_group_name = "likvid-cloudfoundation-keyvault"
   }
 
 
diff --git a/kit/azure/bootstrap/variables.tf b/kit/azure/bootstrap/variables.tf
index 9e1011b9..0e233ffa 100644
--- a/kit/azure/bootstrap/variables.tf
+++ b/kit/azure/bootstrap/variables.tf
@@ -29,7 +29,7 @@ variable "key_vault" {
   description = "This object contains configuration details for setting up a key vault."
   default = {
     name                = "cloudfoundation-kv"
-    resource_group_name = "cloudfoundation-keyvault"
+    resource_group_name = "cloudfoundation-rg"
   }
 }
 
diff --git a/kit/azure/buildingblocks/automation/README.md b/kit/azure/buildingblocks/automation/README.md
index 7b9bdb8f..0524a61a 100644
--- a/kit/azure/buildingblocks/automation/README.md
+++ b/kit/azure/buildingblocks/automation/README.md
@@ -79,4 +79,4 @@ No modules.
 | <a name="output_storage_account_name"></a> [storage\_account\_name](#output\_storage\_account\_name) | n/a |
 | <a name="output_subscription_id"></a> [subscription\_id](#output\_subscription\_id) | n/a |
 | <a name="output_tenant_id"></a> [tenant\_id](#output\_tenant\_id) | n/a |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/kit/azure/buildingblocks/automation/documentation.tf b/kit/azure/buildingblocks/automation/documentation.tf
index 8516d424..ba090f71 100644
--- a/kit/azure/buildingblocks/automation/documentation.tf
+++ b/kit/azure/buildingblocks/automation/documentation.tf
@@ -19,3 +19,4 @@ This module automates the deployment of building blocks within Azure. It utilize
 
 EOF
 }
+
diff --git a/kit/azure/buildingblocks/automation/template/platform-module/terragrunt.hcl b/kit/azure/buildingblocks/automation/template/platform-module/terragrunt.hcl
index 000b5190..eecb82e5 100644
--- a/kit/azure/buildingblocks/automation/template/platform-module/terragrunt.hcl
+++ b/kit/azure/buildingblocks/automation/template/platform-module/terragrunt.hcl
@@ -7,10 +7,6 @@ dependency "organization-hierarchy" {
   config_path = "../../organization-hierarchy"
 }
 
-dependency "bootstrap" {
-  config_path = "../../bootstrap"
-}
-
 generate "provider" {
   path      = "provider.tf"
   if_exists = "overwrite"
@@ -33,9 +29,5 @@ terraform {
 inputs = {
   location               = "germanywestcentral"
   service_principal_name = "cloud_foundation_tf_buildingblock_user"
-  key_vault = {
-    name                = dependency.bootstrap.outputs.azurerm_key_vault.name
-    resource_group_name = dependency.bootstrap.outputs.azurerm_key_vault_rg_name
-  }
-  scope = dependency.organization-hierarchy.outputs.landingzones_id
+  scope                  = dependency.organization-hierarchy.outputs.landingzones_id
 }
diff --git a/kit/azure/buildingblocks/budget-alert/backplane/README.md b/kit/azure/buildingblocks/budget-alert/backplane/README.md
new file mode 100644
index 00000000..4982e357
--- /dev/null
+++ b/kit/azure/buildingblocks/budget-alert/backplane/README.md
@@ -0,0 +1,54 @@
+---
+name: Azure Building Block - Subscription Budget Alert
+summary: |
+  Building block module for adding a simple monthly budget alert to a subscription.
+---
+
+# Azure Subscription Budget Alert
+
+This documentation is intended as a reference documentation for cloud foundation or platform engineers using this module.
+
+## Permissions
+
+This is a very simple building block, which means we let the SPN have access to deploy budget alerts
+across all subscriptions underneath a management group (typically the top-level management group for landing zones).
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | name of the building block, used for naming resources | `string` | `"budget-alert"` | no |
+| <a name="input_principal_ids"></a> [principal\_ids](#input\_principal\_ids) | set of principal ids that will be granted permissions to deploy the building block | `set(string)` | n/a | yes |
+| <a name="input_scope"></a> [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the Budget Alert building block backplane |
+| <a name="output_role_assignment_ids"></a> [role\_assignment\_ids](#output\_role\_assignment\_ids) | The IDs of the role assignments for the service principals. |
+| <a name="output_role_assignment_principal_ids"></a> [role\_assignment\_principal\_ids](#output\_role\_assignment\_principal\_ids) | The principal IDs of the service principals that have been assigned the role. |
+| <a name="output_role_definition_id"></a> [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the building block to subscriptions. |
+| <a name="output_role_definition_name"></a> [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the building block to subscriptions. |
+| <a name="output_scope"></a> [scope](#output\_scope) | The scope where the role definition and role assignments are applied. |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf b/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf
index 327a95c4..4917af3d 100644
--- a/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf
+++ b/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "~> 3.108.0"
     }
     time = {
       source  = "hashicorp/time"
diff --git a/kit/azure/buildingblocks/connectivity/backplane/README.md b/kit/azure/buildingblocks/connectivity/backplane/README.md
new file mode 100644
index 00000000..9cdfdd98
--- /dev/null
+++ b/kit/azure/buildingblocks/connectivity/backplane/README.md
@@ -0,0 +1,59 @@
+---
+name: Azure Building Block - Connectivity
+summary: |
+  Building block module for adding on-premise connectivity to a subscription.
+---
+
+# Azure Connect
+
+This documentation is intended as a reference documentation for cloud foundation or platform engineers using this module.
+
+## Permissions
+
+This is a complex building block backplane that requires permission across the central network hub as well as into the
+target subscription for creating a spoke network. This backplane thus needs to work with multiple `azurerm` terraform providers.
+
+We establish a clear shared responsibility boundary in the target subscription by
+deploying a `connectivity` resource group to target subscription. This resource group is exclusively owned by the connectivity building block backplane SPN.
+
+An Azure Policy confines the access of the SPN to that resource group.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_role_assignment.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | name of the building block, used for naming resources | `string` | n/a | yes |
+| <a name="input_principal_ids"></a> [principal\_ids](#input\_principal\_ids) | set of principal ids that will be granted permissions to deploy the building block | `set(string)` | n/a | yes |
+| <a name="input_scope"></a> [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the Connectivity building block backplane |
+| <a name="output_role_assignment_ids"></a> [role\_assignment\_ids](#output\_role\_assignment\_ids) | The IDs of the role assignments for the service principals. |
+| <a name="output_role_assignment_principal_ids"></a> [role\_assignment\_principal\_ids](#output\_role\_assignment\_principal\_ids) | The principal IDs of the service principals that have been assigned the role. |
+| <a name="output_role_definition_id"></a> [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the Connectivity building block to the hub. |
+| <a name="output_role_definition_name"></a> [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the Connectivity building block to the hub. |
+| <a name="output_scope"></a> [scope](#output\_scope) | The scope where the role definition and role assignments are applied. |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf b/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf
index b6615eab..7f45dd0e 100644
--- a/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf
+++ b/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf
@@ -29,5 +29,4 @@ variable "azure_delay_seconds" {
   type        = number
   description = "Number of additional seconds to wait between Azure API operations to mitigate eventual consistency issues in order to increase automation reliabilty."
   default     = 30
-}
-
+}
\ No newline at end of file
diff --git a/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf b/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf
index 53fb53d9..56843d8e 100644
--- a/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf
+++ b/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     azurerm = {
       source                = "hashicorp/azurerm"
-      version               = "~> 3.106.1"
+      version               = "~> 3.108.0"
       configuration_aliases = [azurerm.spoke, azurerm.hub]
     }
 
diff --git a/kit/azure/buildingblocks/github-repo/buildingblock/README.md b/kit/azure/buildingblocks/github-repo/buildingblock/README.md
new file mode 100644
index 00000000..0efb5ff2
--- /dev/null
+++ b/kit/azure/buildingblocks/github-repo/buildingblock/README.md
@@ -0,0 +1,75 @@
+---
+name: Azure Building Block - GitHub Repository
+summary: |
+  Building block module for creating a GitHub repository.
+---
+
+# Azure GitHub Repository
+
+This documentation is intended as a reference for cloud foundation or platform engineers using this module.
+
+## Permissions
+
+This building block requires a service principal with permissions to manage GitHub repositories. The service principal should have a GitHub App installed with the necessary permissions to create repositories.
+
+The private key of the GitHub App should be stored in Azure Key Vault and the service principal should have permissions to read this secret.
+
+The service principal also needs permissions to assign the "Key Vault Reader" role to itself for the Key Vault where the GitHub App's private key is stored.
+
+## Usage
+
+This building block creates a GitHub repository with the specified name, description, and visibility. It also supports creating a repository based on a template repository.
+
+You can specify the name of the GitHub organization, the name of the repository, whether to create a new repository or use a template, the owner and name of the template repository, and the visibility of the repository.
+
+The GitHub token is retrieved from Azure Key Vault and used to authenticate with the GitHub API.
+
+The building block outputs the name, description, and visibility of the created repository.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.81.0 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | 5.34.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [github_repository.repository](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository) | resource |
+| [azurerm_key_vault.cloudfoundation_keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_key_vault_secret.github_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create_new"></a> [create\_new](#input\_create\_new) | Flag to indicate whether to create a new repository | `bool` | n/a | yes |
+| <a name="input_description"></a> [description](#input\_description) | Description of the GitHub repository | `string` | `"created by github-repo-building-block"` | no |
+| <a name="input_github_app_id"></a> [github\_app\_id](#input\_github\_app\_id) | ID of the GitHub App | `string` | n/a | yes |
+| <a name="input_github_app_installation_id"></a> [github\_app\_installation\_id](#input\_github\_app\_installation\_id) | Installation ID of the GitHub App | `string` | n/a | yes |
+| <a name="input_github_org"></a> [github\_org](#input\_github\_org) | Name of the GitHub organization | `string` | n/a | yes |
+| <a name="input_github_token_secret_name"></a> [github\_token\_secret\_name](#input\_github\_token\_secret\_name) | Name of the secret in Key Vault that holds the GitHub token | `string` | n/a | yes |
+| <a name="input_key_vault_name"></a> [key\_vault\_name](#input\_key\_vault\_name) | Name of the Key Vault | `string` | n/a | yes |
+| <a name="input_key_vault_rg"></a> [key\_vault\_rg](#input\_key\_vault\_rg) | Name of the Resource Group where the Key Vault is located | `string` | n/a | yes |
+| <a name="input_repo_name"></a> [repo\_name](#input\_repo\_name) | Name of the GitHub repository | `string` | `"github-repo"` | no |
+| <a name="input_template_owner"></a> [template\_owner](#input\_template\_owner) | Owner of the template repository | `string` | `"template-owner"` | no |
+| <a name="input_template_repo"></a> [template\_repo](#input\_template\_repo) | Name of the template repository | `string` | `"github-repo"` | no |
+| <a name="input_use_template"></a> [use\_template](#input\_use\_template) | Flag to indicate whether to create a repo based on a Template Repository | `bool` | `false` | no |
+| <a name="input_visibility"></a> [visibility](#input\_visibility) | Visibility of the GitHub repository | `string` | `"private"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_repo_full_name"></a> [repo\_full\_name](#output\_repo\_full\_name) | n/a |
+| <a name="output_repo_git_clone_url"></a> [repo\_git\_clone\_url](#output\_repo\_git\_clone\_url) | n/a |
+| <a name="output_repo_html_url"></a> [repo\_html\_url](#output\_repo\_html\_url) | n/a |
+| <a name="output_repo_name"></a> [repo\_name](#output\_repo\_name) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/kit/azure/buildingblocks/subscription/backplane/README.md b/kit/azure/buildingblocks/subscription/backplane/README.md
new file mode 100644
index 00000000..ed970cd6
--- /dev/null
+++ b/kit/azure/buildingblocks/subscription/backplane/README.md
@@ -0,0 +1,54 @@
+---
+name: Azure Building Block - Subscription Baseline
+summary: |
+  Baseline for all subscriptions managed by the Likvid Bank Cloud Foundation Team.
+---
+
+# Azure Subscription Baseline
+
+This documentation is intended as a reference documentation for cloud foundation or platform engineers using this module.
+
+## Permissions
+
+This is a very simple building block backplane, which means it sets up permission to deploy the building block
+across all subscriptions underneath a management group (typically the top-level management group for landing zones).
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | name of the building block, used for naming resources | `string` | `"budget-alert"` | no |
+| <a name="input_principal_ids"></a> [principal\_ids](#input\_principal\_ids) | set of principal ids that will be granted permissions to deploy the building block | `set(string)` | n/a | yes |
+| <a name="input_scope"></a> [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the Subscription building block backplane |
+| <a name="output_role_assignment_ids"></a> [role\_assignment\_ids](#output\_role\_assignment\_ids) | The IDs of the role assignments for the service principals. |
+| <a name="output_role_assignment_principal_ids"></a> [role\_assignment\_principal\_ids](#output\_role\_assignment\_principal\_ids) | The principal IDs of the service principals that have been assigned the role. |
+| <a name="output_role_definition_id"></a> [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the Subscription building block to subscriptions. |
+| <a name="output_role_definition_name"></a> [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the Subscription building block to subscriptions. |
+| <a name="output_scope"></a> [scope](#output\_scope) | The scope where the role definition and role assignments are applied. |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/kit/azure/buildingblocks/subscription/buildingblock/versions.tf b/kit/azure/buildingblocks/subscription/buildingblock/versions.tf
index a0c42f5d..374ea43b 100644
--- a/kit/azure/buildingblocks/subscription/buildingblock/versions.tf
+++ b/kit/azure/buildingblocks/subscription/buildingblock/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "~> 3.108.0"
     }
   }
 }
diff --git a/kit/azure/buildingblocks/subscription/template/platform-module/terragrunt.hcl b/kit/azure/buildingblocks/subscription/template/platform-module/terragrunt.hcl
new file mode 100644
index 00000000..9e4e4662
--- /dev/null
+++ b/kit/azure/buildingblocks/subscription/template/platform-module/terragrunt.hcl
@@ -0,0 +1,38 @@
+include "platform" {
+  path   = find_in_parent_folders("platform.hcl")
+  expose = true
+}
+
+dependency "bootstrap" {
+  config_path = "../../bootstrap"
+}
+
+dependency "organization-hierarchy" {
+  config_path = "../../organization-hierarchy"
+}
+
+# we deploy to the management subscription here, as the subscription building block is central to all LZs
+# we also deploy the backplane like all other platform modules with azure-cli auth
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite"
+  contents  = <<EOF
+provider "azurerm" {
+  features {}
+  skip_provider_registration = true
+  tenant_id       = "${include.platform.locals.platform.azure.aadTenantId}"
+  subscription_id = "${include.platform.locals.platform.azure.subscriptionId}"
+  storage_use_azuread = true
+}
+EOF
+}
+
+terraform {
+  source = "${get_repo_root()}//kit/azure/buildingblocks/subscription"
+}
+
+inputs = {
+  name          = "subscription"
+  principal_ids = toset([dependency.bootstrap.outputs.platform_engineers_azuread_group_id])
+  scope         = dependency.organization-hierarchy.outputs.landingzones_id
+}
diff --git a/kit/azure/landingzones/corp-online/documentation.tf b/kit/azure/landingzones/corp-online/documentation.tf
index c9787ee5..c322f95a 100644
--- a/kit/azure/landingzones/corp-online/documentation.tf
+++ b/kit/azure/landingzones/corp-online/documentation.tf
@@ -19,7 +19,6 @@ Landing zones for application teams are placed under either
 |[${module.policy_corp.policy_assignments["Deny-HybridNetworking"].display_name}](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies)|Deny|${module.policy_corp.policy_assignments["Deny-HybridNetworking"].description}|By denying these resources, we can ensure that all traffic to and from the resource is routed through the private network, which is more secure.|
 |[${module.policy_corp.policy_assignments["Deny-Public-Endpoints"].display_name}](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html)|Deny|${module.policy_corp.policy_assignments["Deny-Public-Endpoints"].description} | By disabling public network access, we can ensure that all traffic to and from the resource is routed through the private network, which is more secure.|
 |[${module.policy_corp.policy_assignments["Deny-Public-IP-On-NIC"].display_name}](https://www.azadvertizer.net/azpolicyadvertizer/83a86a26-fd1f-447c-b59d-e51f44264114.html)|Deny|${module.policy_corp.policy_assignments["Deny-Public-IP-On-NIC"].description}|By denying public IP addresses, we can ensure that all traffic to and from the resource is routed through the private network, which is more secure.|
-|[${module.policy_corp.policy_assignments["Deny-Peer-To-Non-A-VNET"].display_name}](https://www.azadvertizer.net/azpolicyadvertizer/Deny-VNET-Peering-To-Non-Approved-VNETs.html)|Deny|${module.policy_corp.policy_assignments["Deny-Peer-To-Non-A-VNET"].description}|By denying VNET peering to non-approved VNETs, we can ensure that all traffic to and from the resource is routed through the private network, which is more secure. This is a cosutmized version of the Enterprise-Scale policy|
 
 ### Active Policies Online
 
diff --git a/kit/azure/meshplatform/README.md b/kit/azure/meshplatform/README.md
index 2eb727b4..7be47a7f 100644
--- a/kit/azure/meshplatform/README.md
+++ b/kit/azure/meshplatform/README.md
@@ -57,4 +57,4 @@ No resources.
 | <a name="output_metering_credentials"></a> [metering\_credentials](#output\_metering\_credentials) | Metering Service Principal. |
 | <a name="output_replicator_client_secret"></a> [replicator\_client\_secret](#output\_replicator\_client\_secret) | Password for Replicator Service Principal. |
 | <a name="output_replicator_credentials"></a> [replicator\_credentials](#output\_replicator\_credentials) | Replicator Service Principal. |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/kit/azure/meshplatform/variables.tf b/kit/azure/meshplatform/variables.tf
index 04cdecf8..80315718 100644
--- a/kit/azure/meshplatform/variables.tf
+++ b/kit/azure/meshplatform/variables.tf
@@ -98,4 +98,4 @@ variable "can_cancel_subscriptions_in_scopes" {
   type        = list(string)
   description = "The scopes to which Service Principal cancel subscription permission is assigned to. List of management group id of form `/providers/Microsoft.Management/managementGroups/<mgmtGroupId>/`."
   default     = []
-}
+}
\ No newline at end of file
diff --git a/kit/azure/networking/README.md b/kit/azure/networking/README.md
index 19fad434..07f129b7 100644
--- a/kit/azure/networking/README.md
+++ b/kit/azure/networking/README.md
@@ -1,4 +1,3 @@
-
 ---
 name: Azure Network
 summary: |
diff --git a/kit/azure/networking/documentation.tf b/kit/azure/networking/documentation.tf
index 1ba5484c..ba94fcbd 100644
--- a/kit/azure/networking/documentation.tf
+++ b/kit/azure/networking/documentation.tf
@@ -12,13 +12,17 @@ Upon request, we will peer a VNet in your subscription with the hub.
 All Firewall related logs are in the Log Anlytics Workspace
   - `${local.parsed_diag.log_analytics_id}`
 
-## Subnets
-| name | prefixes | description |
+## Hub and spoke vnet-peering
+| name | adress_sapce | description |
 |-|-|-|
-${var.deploy_firewall ?
-  "|${azurerm_subnet.firewall[0].name} | ${join(", ", azurerm_subnet.firewall[0].address_prefixes)}|" : ""}
-|${azurerm_subnet.mgmt.name} | ${join(", ", azurerm_subnet.mgmt.address_prefixes)}|
-|${azurerm_subnet.gateway.name} | ${join(", ", azurerm_subnet.gateway.address_prefixes)}|
+glaskugel| 10.1.0.0/24 | Project Palantíri, stackholder Saruman |
+ 
+## Subnets
+| name | prefixes |
+|-|-|
+${var.deploy_firewall ? "| ${azurerm_subnet.firewall[0].name} | ${join(", ", azurerm_subnet.firewall[0].address_prefixes)} |\n" : "\n"}
+| ${azurerm_subnet.mgmt.name} | ${join(", ", azurerm_subnet.mgmt.address_prefixes)} | 
+| ${azurerm_subnet.gateway.name} | ${join(", ", azurerm_subnet.gateway.address_prefixes)} |
 
 ${var.deploy_firewall ? "## Azure Firewall sku: ${var.firewall_sku_tier}" : "## Firewall deployment is not enabled."}
 ${var.firewall_sku_tier == "Basic" && var.deploy_firewall ?