diff --git a/examples/full-setup-tf-upgrade/apps/dns/associate-route53-endpoints.tf b/examples/full-setup-tf-upgrade/apps/dns/associate-route53-endpoints.tf
index 2b8b565..01458c3 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/associate-route53-endpoints.tf
+++ b/examples/full-setup-tf-upgrade/apps/dns/associate-route53-endpoints.tf
@@ -8,8 +8,9 @@ locals {
 # network prod
 #---
 provider "aws" {
-  alias  = "route53_main"
-  region = var.region_map["east"]
+  alias   = "route53_main"
+  region  = var.region_map["east"]
+  profile = var.profile
   assume_role {
     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
     session_name = var.os_username
@@ -54,8 +55,9 @@ module "route53_main_west" {
 # do2-gov ("legacy")
 #---
 provider "aws" {
-  alias  = "route53_main_legacy"
-  region = var.region_map["east"]
+  alias   = "route53_main_legacy"
+  region  = var.region_map["east"]
+  profile = var.profile
   assume_role {
     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id)
     session_name = var.os_username
diff --git a/examples/full-setup-tf-upgrade/apps/dns/tf-run.data b/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
index 25883c5..b879356 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
+++ b/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.1.7
+VERSION 1.1.9
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
@@ -13,10 +13,14 @@ LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
 LINKTOP includes.d/variables.application_tags.tf
 LINKTOP includes.d/variables.application_tags.auto.tfvars
 
+TAG settings
+COMMENT edit locals.tf to change vpc_info to refrence this region and vpc
+COMMENT update variables.dns.auto.tfvars to set the proper comment, and whether to create the zone (false is the zone exists elseewhere)
+STOP verify these are done, and then continue with tf-run apply tag:verified-settings
 
+TAG verified-settings
 aws_route53_zone.domain_zone aws_route53_zone.ptr_zone
 aws_route53_resolver_rule_association.all_rules
 
 ALL
 COMMAND tf-directory-setup.py -l s3
-
diff --git a/examples/full-setup-tf-upgrade/apps/tf-run.data b/examples/full-setup-tf-upgrade/apps/tf-run.data
index ff4775d..15bc130 100644
--- a/examples/full-setup-tf-upgrade/apps/tf-run.data
+++ b/examples/full-setup-tf-upgrade/apps/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.0.5
+VERSION 1.0.6
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
@@ -14,3 +14,7 @@ COMMAND tf-init
 
 ALL
 COMMAND tf-directory-setup.py -l s3
+
+TAG setup-apps-dns
+COMMENT pushd dns 
+COMMENT follow tf-run directions
diff --git a/examples/full-setup-tf-upgrade/tf-run.data b/examples/full-setup-tf-upgrade/tf-run.data
index 203d4c6..51a8d8a 100644
--- a/examples/full-setup-tf-upgrade/tf-run.data
+++ b/examples/full-setup-tf-upgrade/tf-run.data
@@ -1,11 +1,8 @@
-VERSION 1.2.3
+VERSION 2.0.0
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
-LINKTOP provider_configs.d/provider.infoblox.auto.tfvars
-LINKTOP provider_configs.d/provider.infoblox.tf
-LINKTOP provider_configs.d/provider.infoblox.variables.tf
-COMMAND tf-init 
+COMMAND tf-init
 
 LINKTOP includes.d/variables.account_tags.tf
 LINKTOP includes.d/variables.account_tags.auto.tfvars
@@ -14,9 +11,15 @@ LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
 LINKTOP includes.d/variables.application_tags.tf
 ## LINKTOP includes.d/variables.application_tags.auto.tfvars
 
+LINKTOP provider_configs.d/provider.infoblox.auto.tfvars
+LINKTOP provider_configs.d/provider.infoblox.tf
+LINKTOP provider_configs.d/provider.infoblox.variables.tf
 LINKTOP common/remote_state.common.tf
 LINKTOP infrastructure/%%SHORT_REGION%%/remote_state.infrastructure_%%SHORT_REGION%%.tf
 
+LINKTOP includes.d/variables.subnets.tf
+LINKTOP includes.d/variables.vpc.tf
+
 module.vpc module.subnets
 COMMAND tf-directory-setup.py -l s3
 
@@ -25,14 +28,32 @@ COMMENT Until you reach this point with a tf-run apply, a plan action will fail
 PAUSE
 
 module.routing
-module.vpn
+## module.vpn
+COMMENT set the proper region shortname in flowlogs.tf
+PAUSE 5
 module.flowlogs
-module.base-security-groups
-module.sg_web
+module.base-security-groups module.sg_web
 module.nacls module.nacls_enterprise module.nacls_endpoints module.nacls_public_vpc module.nacls_public_nat
-module.peer_services_main_west module.peer_services_main_east
+## module.peer_services_main_west module.peer_services_main_east
 ALL
 ALL
 
-COMMENT continue setup for apps: cd apps; tf-run apply
-COMMENT continue setup for apps/dns: cd apps/dns; tf-run apply
+TAG setup-tgw
+COMMENT pushd tgw; edit locals.tf to change vpc_rs remote state refrence to this region and vpc
+COMMENT   tf-apply
+COMMENT popd
+COMMENT An update to add the VPC details to network-prod transit-gateway-prefixes.yml is needed
+STOP Return here when done, and continue with tf-run apply tag:setup-vpc-endpoints
+
+TAG setup-vpc-endpints
+COMMENT pushd vpc-endpoints; edit locals.tf to change vpc_id and sg_web_id to reference this region and vpc
+COMMENT   tf-apply
+COMMENT popd
+STOP Return here when done, and continue with tf-run apply tag:setup-apps
+
+TAG setup-apps
+COMMENT pushd apps
+COMMENT   tf-apply
+COMMENT Once done with that, you'll also do the dns directory
+COMMENT cd dns; edit locals.tf to change vpc_info to refrence this region and vpc
+COMMENT update variables.dns.auto.tfvars to set the proper comment, and whether to create the zone (false is the zone exists elseewhere)
diff --git a/examples/full-setup-tf-upgrade/tf-run.destroy.data b/examples/full-setup-tf-upgrade/tf-run.destroy.data
index e98c40b..1e8f952 100644
--- a/examples/full-setup-tf-upgrade/tf-run.destroy.data
+++ b/examples/full-setup-tf-upgrade/tf-run.destroy.data
@@ -1,11 +1,12 @@
-VERSION 1.0.4
+VERSION 1.0.5
 BACKUP-STATE
 COMMAND tf-init
 COMMAND tf-state list
 
-module.vpn_transit_gateway
+infoblox_ipv4_network.vpc_private_subnets
 infoblox_ipv4_network_container.vpc_private
 infoblox_ipv4_network_container.vpc
+module.vpn_transit_gateway
 module.peer_services_main_west module.peer_services_main_east
 module.nacls module.nacls_enterprise module.nacls_endpoints module.nacls_public_vpc module.nacls_public_nat
 module.sg_web
diff --git a/examples/full-setup-tf-upgrade/variables.subnets.auto.tfvars b/examples/full-setup-tf-upgrade/variables.subnets.auto.tfvars
index 0255455..cc4feb4 100644
--- a/examples/full-setup-tf-upgrade/variables.subnets.auto.tfvars
+++ b/examples/full-setup-tf-upgrade/variables.subnets.auto.tfvars
@@ -1,19 +1,50 @@
-public_subnets = [
-  ##  { base_cidr = "10.188.64.0/24", label = "public", bits = 2, private = false, enabled=false, tags = {} },
-]
+public_subnets = []
+# /19 layout
 private_subnets = [
-  { base_cidr = "10.188.65.0/24", label = "endpoints", bits = 2, private = true, enabled = true, tags = {} },
-  { base_cidr = "10.188.65.192/26", label = "attachment", bits = 2, private = true, enabled = true, tags = { "boc:vpc:route-table" = "attachment" } },
-  { base_cidr = "10.188.66.0/23", label = "private-lb", bits = 2, private = true, enabled = true,
+  { base_cidr = "10.{X}.{y}.0/24", label = "endpoints", bits = 2, private = true, enabled = true, tags = {} },
+  { base_cidr = "10.{X}.{y}.192/26", label = "attachment", bits = 2, private = true, enabled = true, tags = { "boc:vpc:route-table" = "attachment" } },
+  { base_cidr = "10.{X}.{y+1}.0/24", label = "(free)", bits = 2, private = true, enabled = false, tags = {} },
+  { base_cidr = "10.{X}.{y+2}.0/23", label = "private-lb", bits = 2, private = true, enabled = true,
     tags      = { "kubernetes.io/role/internal-elb" = 1 }
   },
-  { base_cidr = "10.188.68.0/23", label = "db", bits = 2, private = true, enabled = true, tags = {} },
-  # { base_cidr = "10.188.70.0/23", label = "(free)", bits = 2, private = true, enabled=false, tags = {} },
-  { base_cidr = "10.188.72.0/22", label = "apps", bits = 2, private = true, enabled = true, tags = {} },
-  # { base_cidr = "10.188.76.0/22", label = "(free)", bits = 2, private = true, enabled=false, tags = {} },
-  { base_cidr = "10.188.80.0/21", label = "container", bits = 2, private = true, enabled = true,
-    tags = {
-      #      "kubernetes.io/cluster/dice-ite" = "shared"
-    },
+  { base_cidr = "10.{X}.{y+4}.0/23", label = "db", bits = 2, private = true, enabled = true, tags = {} },
+  { base_cidr = "10.{X}.{y+6}.0/23", label = "(free)", bits = 2, private = true, enabled = false, tags = {} },
+  { base_cidr = "10.{X}.{y+8}.0/21", label = "apps", bits = 2, private = true, enabled = true, tags = {} },
+  { base_cidr = "10.{X}.{y+16}.0/20", label = "container", bits = 2, private = true, enabled = true,
+    tags      = {},
   }
 ]
+
+# layout for /19
+#   endpoints 10.x.y.0/24
+#   attachment 10.x.y.192/26
+#     (free)  10.x.y+1.0/24 enabled=false
+#   private-lb 10.x.y+2.0/23
+#   db 10.x.y+4.0/23
+#     (free) 10.x.y+6.0/23 enabled=false
+#   apps 10.x.y+8.0/21
+#   container 10.x.y+16.0/20
+
+# layout for /20
+#   endpoints 10.x.y.0/24
+#   attachment 10.x.y.192/26
+#   db 10.x.y+1.0/24
+#   private-lb 10.x.y+2.0/24
+#     (free) 10.x.y+3.0/23 enabled=false
+#   apps 10.x.y+4.0/22
+#   container 10.x.y+8.0/21
+
+## # /20 layout
+## private_subnets = [
+##   { base_cidr = "10.{X}.{y}.0/24", label = "endpoints", bits = 2, private = true, enabled = true, tags = {} },
+##   { base_cidr = "10.{X}.{y}.192/26", label = "attachment", bits = 2, private = true, enabled = true, tags = { "boc:vpc:route-table" = "attachment" } },
+##   { base_cidr = "10.{X}.{y+1}.0/24", label = "db", bits = 2, private = true, enabled = true, tags = {} },
+##   { base_cidr = "10.{X}.{y+2}.0/24", label = "private-lb", bits = 2, private = true, enabled = true,
+##     tags      = { "kubernetes.io/role/internal-elb" = 1 }
+##   },
+##   { base_cidr = "10.{X}.{y+3}.0/24", label = "(free)", bits = 2, private = true, enabled=false, tags = {} },
+##   { base_cidr = "10.{X}.{y+4}.0/22", label = "apps", bits = 2, private = true, enabled = true, tags = {} },
+##   { base_cidr = "10.{X}.{y+8}.0/21", label = "container", bits = 2, private = true, enabled = true,
+##     tags = { },
+##   }
+## ]
diff --git a/examples/full-setup-tf-upgrade/variables.subnets.auto.tfvars.old b/examples/full-setup-tf-upgrade/variables.subnets.auto.tfvars.old
new file mode 100644
index 0000000..0255455
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/variables.subnets.auto.tfvars.old
@@ -0,0 +1,19 @@
+public_subnets = [
+  ##  { base_cidr = "10.188.64.0/24", label = "public", bits = 2, private = false, enabled=false, tags = {} },
+]
+private_subnets = [
+  { base_cidr = "10.188.65.0/24", label = "endpoints", bits = 2, private = true, enabled = true, tags = {} },
+  { base_cidr = "10.188.65.192/26", label = "attachment", bits = 2, private = true, enabled = true, tags = { "boc:vpc:route-table" = "attachment" } },
+  { base_cidr = "10.188.66.0/23", label = "private-lb", bits = 2, private = true, enabled = true,
+    tags      = { "kubernetes.io/role/internal-elb" = 1 }
+  },
+  { base_cidr = "10.188.68.0/23", label = "db", bits = 2, private = true, enabled = true, tags = {} },
+  # { base_cidr = "10.188.70.0/23", label = "(free)", bits = 2, private = true, enabled=false, tags = {} },
+  { base_cidr = "10.188.72.0/22", label = "apps", bits = 2, private = true, enabled = true, tags = {} },
+  # { base_cidr = "10.188.76.0/22", label = "(free)", bits = 2, private = true, enabled=false, tags = {} },
+  { base_cidr = "10.188.80.0/21", label = "container", bits = 2, private = true, enabled = true,
+    tags = {
+      #      "kubernetes.io/cluster/dice-ite" = "shared"
+    },
+  }
+]
diff --git a/examples/full-setup-tf-upgrade/variables.vpc.auto.tfvars b/examples/full-setup-tf-upgrade/variables.vpc.auto.tfvars
index 488bb9f..9dcee75 100644
--- a/examples/full-setup-tf-upgrade/variables.vpc.auto.tfvars
+++ b/examples/full-setup-tf-upgrade/variables.vpc.auto.tfvars
@@ -1,31 +1,39 @@
-vpc_name               = "dice-ite"
-vpc_cidr_block         = "10.188.64.0/19"
-vpc_index              = "4"
-vpc_short_name         = "vpc4"
-vpc_full_name          = "vpc4-dice-ite"
-vpc_environment        = "ite"
-vpc_domain_name        = "ite.dice.census.gov"
+vpc_name               = "{org}-{env}"
+vpc_cidr_block         = "{cidr}"
+vpc_index              = "{N}"
+vpc_short_name         = "vpc{N}"
+vpc_full_name          = "vpc{N}-{org}-{env}"
+vpc_environment        = "{env}"
+vpc_domain_name        = "{env}.{org}.csp1.census.gov"
 vpc_dns_servers        = ["148.129.127.22", "148.129.191.22"]
 vpc_ntp_servers        = ["148.129.127.23", "148.129.191.23"]
 vpc_enable_igw         = false
 vpc_enable_nat         = false
-vpc_enable_vpn         = true
-vpc_enable_vpn_routing = true
+vpc_enable_vpn         = false
+vpc_enable_vpn_routing = false
 vpc_enable_awsdns      = true
 availability_zones     = []
 
-tgw_enable_vpn_routing = false
+tgw_enable_vpn_routing = true
 tgw_environment        = null
 shared_vpc_label       = ""
 
-vpn_settings = [
-  { site = "hq", "bgp_asn_id" = 65510, "ip_address" = "148.129.163.NNN" },
-  { site = "bcc", "bgp_asn_id" = 65511, "ip_address" = "148.129.78.NNN" },
-]
+vpn_settings           = []
+services_peer_settings = {}
 
-#services_peer_settings = {}
-services_peer_settings = {
-  "west" = { peer_name = "vpc1-services", region = "us-gov-west-1", rule_number = 2210 }
-  "east" = { peer_name = "vpc1-services", region = "us-gov-east-1", rule_number = 2260 }
-}
 
+# replace the placeholders
+#   {org}
+#   {cidr} = 10.x.y.0/mask (mask 19,20,21)
+#   {env} = services | common | shared | dev | test | ite | uat | qa | stage | prod
+#   {N} = sequence, 1 ..
+#   {tgw_env} = services | dev | test | stage | prod | cre
+# required fields to update
+#   vpc_name
+#   vpc_cidr_block
+#   vpc_index
+#   vpc_short_name
+#   vpc_full_name
+#   vpc_environment
+#   vpc_omain_name
+#   tgw_environment
diff --git a/examples/full-setup-tf-upgrade/variables.vpc.auto.tfvars.old b/examples/full-setup-tf-upgrade/variables.vpc.auto.tfvars.old
new file mode 100644
index 0000000..488bb9f
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/variables.vpc.auto.tfvars.old
@@ -0,0 +1,31 @@
+vpc_name               = "dice-ite"
+vpc_cidr_block         = "10.188.64.0/19"
+vpc_index              = "4"
+vpc_short_name         = "vpc4"
+vpc_full_name          = "vpc4-dice-ite"
+vpc_environment        = "ite"
+vpc_domain_name        = "ite.dice.census.gov"
+vpc_dns_servers        = ["148.129.127.22", "148.129.191.22"]
+vpc_ntp_servers        = ["148.129.127.23", "148.129.191.23"]
+vpc_enable_igw         = false
+vpc_enable_nat         = false
+vpc_enable_vpn         = true
+vpc_enable_vpn_routing = true
+vpc_enable_awsdns      = true
+availability_zones     = []
+
+tgw_enable_vpn_routing = false
+tgw_environment        = null
+shared_vpc_label       = ""
+
+vpn_settings = [
+  { site = "hq", "bgp_asn_id" = 65510, "ip_address" = "148.129.163.NNN" },
+  { site = "bcc", "bgp_asn_id" = 65511, "ip_address" = "148.129.78.NNN" },
+]
+
+#services_peer_settings = {}
+services_peer_settings = {
+  "west" = { peer_name = "vpc1-services", region = "us-gov-west-1", rule_number = 2210 }
+  "east" = { peer_name = "vpc1-services", region = "us-gov-east-1", rule_number = 2260 }
+}
+
diff --git a/examples/full-setup-tf-upgrade/vpc.tf b/examples/full-setup-tf-upgrade/vpc.tf
index 1392d70..628ef9f 100644
--- a/examples/full-setup-tf-upgrade/vpc.tf
+++ b/examples/full-setup-tf-upgrade/vpc.tf
@@ -72,7 +72,7 @@ module "routing" {
 }
 
 module "vpn" {
-  #  count  = var.vpc_enable_vpn ? 1 : 0
+  count  = var.vpc_enable_vpn ? 1 : 0
   source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpn?ref=tf-upgrade"
   vpc_id = local.vpc_id