diff --git a/.github/workflows/ms.network.virtualnetworkgateways.yml b/.github/workflows/ms.network.virtualnetworkgateways.yml
index dc3728cd03..93ba948ad2 100644
--- a/.github/workflows/ms.network.virtualnetworkgateways.yml
+++ b/.github/workflows/ms.network.virtualnetworkgateways.yml
@@ -106,8 +106,7 @@ jobs:
       - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]'
         uses: ./.github/actions/templates/validateModuleDeployment
         with:
-          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
-          parameterFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}'
+          templateFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}'
           location: '${{ env.location }}'
           resourceGroupName: '${{ env.resourceGroupName }}'
           subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
diff --git a/modules/.shared/dependencyConstructs/diagnostic.dependencies.bicep b/modules/.shared/dependencyConstructs/diagnostic.dependencies.bicep
index 14a77d7796..58116f5c85 100644
--- a/modules/.shared/dependencyConstructs/diagnostic.dependencies.bicep
+++ b/modules/.shared/dependencyConstructs/diagnostic.dependencies.bicep
@@ -3,6 +3,7 @@
 // ========== //
 
 @description('Required. The name of the storage account to create.')
+@maxLength(24)
 param storageAccountName string
 
 @description('Required. The name of the log analytics workspace to create.')
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/aadvpn.parameters.json b/modules/Microsoft.Network/virtualNetworkGateways/.test/aadvpn.parameters.json
deleted file mode 100644
index f3ddce3381..0000000000
--- a/modules/Microsoft.Network/virtualNetworkGateways/.test/aadvpn.parameters.json
+++ /dev/null
@@ -1,75 +0,0 @@
-{
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "name": {
-            "value": "<<namePrefix>>-az-gw-aadvpn-001"
-        },
-        "lock": {
-            "value": "CanNotDelete"
-        },
-        "domainNameLabel": {
-            "value": [
-                "<<namePrefix>>-az-gw-vpn-dm-001"
-            ]
-        },
-        "virtualNetworkGatewayType": {
-            "value": "Vpn"
-        },
-        "virtualNetworkGatewaySku": {
-            "value": "VpnGw2AZ"
-        },
-        "publicIpZones": {
-            "value": [
-                "1"
-            ]
-        },
-        "vpnType": {
-            "value": "RouteBased"
-        },
-        "activeActive": {
-            "value": false
-        },
-        "vpnClientAadConfiguration": {
-            "value": {
-                "aadTenant": "https://login.microsoftonline.com/<<tenantId>>/",
-                "aadAudience": "41b23e61-6c1e-4545-b367-cd054e0ed4b4",
-                "aadIssuer": "'https://sts.windows.net/<<tenantId>>/",
-                "vpnAuthenticationTypes": [
-                    "AAD"
-                ],
-                "vpnClientProtocols": [
-                    "OpenVPN"
-                ]
-            }
-        },
-        "vNetResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-vgw-002"
-        },
-        "roleAssignments": {
-            "value": [
-                {
-                    "roleDefinitionIdOrName": "Reader",
-                    "principalIds": [
-                        "<<deploymentSpId>>"
-                    ]
-                }
-            ]
-        },
-        "diagnosticLogsRetentionInDays": {
-            "value": 7
-        },
-        "diagnosticStorageAccountId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
-        },
-        "diagnosticWorkspaceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
-        },
-        "diagnosticEventHubAuthorizationRuleId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
-        },
-        "diagnosticEventHubName": {
-            "value": "adp-<<namePrefix>>-az-evh-x-001"
-        }
-    }
-}
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/aadvpn/dependencies.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/aadvpn/dependencies.bicep
new file mode 100644
index 0000000000..044d115b84
--- /dev/null
+++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/aadvpn/dependencies.bicep
@@ -0,0 +1,39 @@
+@description('Optional. The location to deploy resources to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+@description('Required. The name of the Managed Identity to create.')
+param managedIdentityName string
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+    name: virtualNetworkName
+    location: location
+    properties: {
+        addressSpace: {
+            addressPrefixes: [
+                '10.0.0.0/24'
+            ]
+        }
+        subnets: [
+            {
+                name: 'GatewaySubnet'
+                properties: {
+                    addressPrefix: '10.0.0.0/24'
+                }
+            }
+        ]
+    }
+}
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+    name: managedIdentityName
+    location: location
+}
+
+@description('The resource ID of the created Virtual Network.')
+output vnetResourceId string = virtualNetwork.id
+
+@description('The principal ID of the created Managed Identity.')
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/aadvpn/deploy.test.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/aadvpn/deploy.test.bicep
new file mode 100644
index 0000000000..088b0119b9
--- /dev/null
+++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/aadvpn/deploy.test.bicep
@@ -0,0 +1,97 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(80)
+param resourceGroupName string = 'ms.network.virtualnetworkgateways-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'nvngavpn'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module resourceGroupResources 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-paramNested'
+  params: {
+    virtualNetworkName: 'dep-<<namePrefix>>-vnet-${serviceShort}'
+    managedIdentityName: 'dep-<<namePrefix>>-msi-${serviceShort}'
+  }
+}
+
+// Diagnostics
+// ===========
+module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnostic.dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-diagnosticDependencies'
+  params: {
+    storageAccountName: 'dep<<namePrefix>>diasa${serviceShort}01'
+    logAnalyticsWorkspaceName: 'dep-<<namePrefix>>-law-${serviceShort}'
+    eventHubNamespaceEventHubName: 'dep-<<namePrefix>>-evh-${serviceShort}'
+    eventHubNamespaceName: 'dep-<<namePrefix>>-evhns-${serviceShort}'
+    location: location
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    virtualNetworkGatewaySku: 'VpnGw2AZ'
+    virtualNetworkGatewayType: 'Vpn'
+    vNetResourceId: resourceGroupResources.outputs.vnetResourceId
+    activeActive: false
+    diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
+    diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
+    diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
+    diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
+    domainNameLabel: [
+      '<<namePrefix>>-dm-${serviceShort}'
+    ]
+    lock: 'CanNotDelete'
+    publicIpZones: [
+      '1'
+    ]
+    roleAssignments: [
+      {
+        roleDefinitionIdOrName: 'Reader'
+        principalIds: [
+          resourceGroupResources.outputs.managedIdentityPrincipalId
+        ]
+        principalType: 'ServicePrincipal'
+      }
+    ]
+    vpnClientAadConfiguration: {
+      // The Application ID of the "Azure VPN" Azure AD Enterprise App for Azure Public
+      aadAudience: '41b23e61-6c1e-4545-b367-cd054e0ed4b4'
+      aadIssuer: 'https://sts.windows.net/${tenant().tenantId}/'
+      aadTenant: '${environment().authentication.loginEndpoint}/${tenant().tenantId}/'
+      vpnAuthenticationTypes: [
+        'AAD'
+      ]
+      vpnClientProtocols: [
+        'OpenVPN'
+      ]
+    }
+    vpnType: 'RouteBased'
+  }
+}
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute.parameters.json b/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute.parameters.json
deleted file mode 100644
index 3de5a1f41f..0000000000
--- a/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute.parameters.json
+++ /dev/null
@@ -1,61 +0,0 @@
-{
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "name": {
-            "value": "<<namePrefix>>-az-gw-er-001"
-        },
-        "gatewayPipName": {
-            "value": "<<namePrefix>>-az-gw-er-001-pip"
-        },
-        "domainNameLabel": {
-            "value": [
-                "<<namePrefix>>-az-gw-er-dm-001"
-            ]
-        },
-        "virtualNetworkGatewayType": {
-            "value": "ExpressRoute"
-        },
-        "virtualNetworkGatewaySku": {
-            "value": "ErGw1AZ"
-        },
-        "vNetResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001"
-        },
-        "tags": {
-            "value": {
-                "Environment": "Validation",
-                "Contact": "test.user@testcompany.com",
-                "PurchaseOrder": "",
-                "CostCenter": "",
-                "ServiceName": "DeploymentValidation",
-                "Role": "DeploymentValidation"
-            }
-        },
-        "roleAssignments": {
-            "value": [
-                {
-                    "roleDefinitionIdOrName": "Reader",
-                    "principalIds": [
-                        "<<deploymentSpId>>"
-                    ]
-                }
-            ]
-        },
-        "diagnosticLogsRetentionInDays": {
-            "value": 7
-        },
-        "diagnosticStorageAccountId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
-        },
-        "diagnosticWorkspaceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
-        },
-        "diagnosticEventHubAuthorizationRuleId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
-        },
-        "diagnosticEventHubName": {
-            "value": "adp-<<namePrefix>>-az-evh-x-001"
-        }
-    }
-}
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/dependencies.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/dependencies.bicep
new file mode 100644
index 0000000000..044d115b84
--- /dev/null
+++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/dependencies.bicep
@@ -0,0 +1,39 @@
+@description('Optional. The location to deploy resources to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+@description('Required. The name of the Managed Identity to create.')
+param managedIdentityName string
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+    name: virtualNetworkName
+    location: location
+    properties: {
+        addressSpace: {
+            addressPrefixes: [
+                '10.0.0.0/24'
+            ]
+        }
+        subnets: [
+            {
+                name: 'GatewaySubnet'
+                properties: {
+                    addressPrefix: '10.0.0.0/24'
+                }
+            }
+        ]
+    }
+}
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+    name: managedIdentityName
+    location: location
+}
+
+@description('The resource ID of the created Virtual Network.')
+output vnetResourceId string = virtualNetwork.id
+
+@description('The principal ID of the created Managed Identity.')
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep
new file mode 100644
index 0000000000..505f2b96b4
--- /dev/null
+++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/expressRoute/deploy.test.bicep
@@ -0,0 +1,88 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(80)
+param resourceGroupName string = 'ms.network.virtualnetworkgateways-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'nvger'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module resourceGroupResources 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-paramNested'
+  params: {
+    virtualNetworkName: 'dep-<<namePrefix>>-vnet-${serviceShort}'
+    managedIdentityName: 'dep-<<namePrefix>>-msi-${serviceShort}'
+  }
+}
+
+// Diagnostics
+// ===========
+module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnostic.dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-diagnosticDependencies'
+  params: {
+    storageAccountName: 'dep<<namePrefix>>diasa${serviceShort}01'
+    logAnalyticsWorkspaceName: 'dep-<<namePrefix>>-law-${serviceShort}'
+    eventHubNamespaceEventHubName: 'dep-<<namePrefix>>-evh-${serviceShort}'
+    eventHubNamespaceName: 'dep-<<namePrefix>>-evhns-${serviceShort}'
+    location: location
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    virtualNetworkGatewaySku: 'ErGw1AZ'
+    virtualNetworkGatewayType: 'ExpressRoute'
+    vNetResourceId: resourceGroupResources.outputs.vnetResourceId
+    diagnosticLogsRetentionInDays: 7
+    diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
+    diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
+    diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
+    diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
+    domainNameLabel: [
+      '<<namePrefix>>-dm-${serviceShort}'
+    ]
+    gatewayPipName: '<<namePrefix>>-pip-${serviceShort}'
+    roleAssignments: [
+      {
+        principalIds: [
+          resourceGroupResources.outputs.managedIdentityPrincipalId
+        ]
+        roleDefinitionIdOrName: 'Reader'
+      }
+    ]
+    tags: {
+      Contact: 'test.user@testcompany.com'
+      CostCenter: ''
+      Environment: 'Validation'
+      PurchaseOrder: ''
+      Role: 'DeploymentValidation'
+      ServiceName: 'DeploymentValidation'
+    }
+  }
+}
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn.parameters.json b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn.parameters.json
deleted file mode 100644
index cf037dc7e9..0000000000
--- a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn.parameters.json
+++ /dev/null
@@ -1,62 +0,0 @@
-{
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "name": {
-            "value": "<<namePrefix>>-az-gw-vpn-001"
-        },
-        "lock": {
-            "value": "CanNotDelete"
-        },
-        "domainNameLabel": {
-            "value": [
-                "<<namePrefix>>-az-gw-vpn-dm-001"
-            ]
-        },
-        "virtualNetworkGatewayType": {
-            "value": "Vpn"
-        },
-        "virtualNetworkGatewaySku": {
-            "value": "VpnGw1AZ"
-        },
-        "publicIpZones": {
-            "value": [
-                "1"
-            ]
-        },
-        "vpnType": {
-            "value": "RouteBased"
-        },
-        "activeActive": {
-            "value": true
-        },
-        "vNetResourceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001"
-        },
-        "roleAssignments": {
-            "value": [
-                {
-                    "roleDefinitionIdOrName": "Reader",
-                    "principalIds": [
-                        "<<deploymentSpId>>"
-                    ]
-                }
-            ]
-        },
-        "diagnosticLogsRetentionInDays": {
-            "value": 7
-        },
-        "diagnosticStorageAccountId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
-        },
-        "diagnosticWorkspaceId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
-        },
-        "diagnosticEventHubAuthorizationRuleId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
-        },
-        "diagnosticEventHubName": {
-            "value": "adp-<<namePrefix>>-az-evh-x-001"
-        }
-    }
-}
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/dependencies.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/dependencies.bicep
new file mode 100644
index 0000000000..044d115b84
--- /dev/null
+++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/dependencies.bicep
@@ -0,0 +1,39 @@
+@description('Optional. The location to deploy resources to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+@description('Required. The name of the Managed Identity to create.')
+param managedIdentityName string
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+    name: virtualNetworkName
+    location: location
+    properties: {
+        addressSpace: {
+            addressPrefixes: [
+                '10.0.0.0/24'
+            ]
+        }
+        subnets: [
+            {
+                name: 'GatewaySubnet'
+                properties: {
+                    addressPrefix: '10.0.0.0/24'
+                }
+            }
+        ]
+    }
+}
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+    name: managedIdentityName
+    location: location
+}
+
+@description('The resource ID of the created Virtual Network.')
+output vnetResourceId string = virtualNetwork.id
+
+@description('The principal ID of the created Managed Identity.')
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep
new file mode 100644
index 0000000000..eab669ff96
--- /dev/null
+++ b/modules/Microsoft.Network/virtualNetworkGateways/.test/vpn/deploy.test.bicep
@@ -0,0 +1,85 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(80)
+param resourceGroupName string = 'ms.network.virtualnetworkgateways-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'nvgvpn'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module resourceGroupResources 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-paramNested'
+  params: {
+    virtualNetworkName: 'dep-<<namePrefix>>-vnet-${serviceShort}'
+    managedIdentityName: 'dep-<<namePrefix>>-msi-${serviceShort}'
+  }
+}
+
+// Diagnostics
+// ===========
+module diagnosticDependencies '../../../../.shared/dependencyConstructs/diagnostic.dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-diagnosticDependencies'
+  params: {
+    storageAccountName: 'dep<<namePrefix>>diasa${serviceShort}01'
+    logAnalyticsWorkspaceName: 'dep-<<namePrefix>>-law-${serviceShort}'
+    eventHubNamespaceEventHubName: 'dep-<<namePrefix>>-evh-${serviceShort}'
+    eventHubNamespaceName: 'dep-<<namePrefix>>-evhns-${serviceShort}'
+    location: location
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../deploy.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name)}-test-${serviceShort}'
+  params: {
+    name: '<<namePrefix>>${serviceShort}001'
+    virtualNetworkGatewaySku: 'VpnGw1AZ'
+    virtualNetworkGatewayType: 'Vpn'
+    vNetResourceId: resourceGroupResources.outputs.vnetResourceId
+    activeActive: true
+    diagnosticLogsRetentionInDays: 7
+    diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
+    diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
+    diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
+    diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
+    domainNameLabel: [
+      '<<namePrefix>>-dm-${serviceShort}'
+    ]
+    lock: 'CanNotDelete'
+    publicIpZones: [
+      '1'
+    ]
+    roleAssignments: [
+      {
+        principalIds: [
+          resourceGroupResources.outputs.managedIdentityPrincipalId
+        ]
+        roleDefinitionIdOrName: 'Reader'
+      }
+    ]
+    vpnType: 'RouteBased'
+  }
+}
diff --git a/modules/Microsoft.Network/virtualNetworkGateways/readme.md b/modules/Microsoft.Network/virtualNetworkGateways/readme.md
index eb2f140a1e..9cbf8faf5e 100644
--- a/modules/Microsoft.Network/virtualNetworkGateways/readme.md
+++ b/modules/Microsoft.Network/virtualNetworkGateways/readme.md
@@ -261,22 +261,21 @@ The following module usage examples are retrieved from the content of the files
 
 ```bicep
 module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy.bicep' = {
-  name: '${uniqueString(deployment().name)}-VirtualNetworkGateways'
+  name: '${uniqueString(deployment().name)}-test-nvngavpn'
   params: {
     // Required parameters
-    name: '<<namePrefix>>-az-gw-aadvpn-001'
+    name: '<<namePrefix>>nvngavpn001'
     virtualNetworkGatewaySku: 'VpnGw2AZ'
     virtualNetworkGatewayType: 'Vpn'
-    vNetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-vgw-002'
+    vNetResourceId: '<vNetResourceId>'
     // Non-required parameters
     activeActive: false
-    diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
-    diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
-    diagnosticLogsRetentionInDays: 7
-    diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
-    diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
+    diagnosticEventHubAuthorizationRuleId: '<diagnosticEventHubAuthorizationRuleId>'
+    diagnosticEventHubName: '<diagnosticEventHubName>'
+    diagnosticStorageAccountId: '<diagnosticStorageAccountId>'
+    diagnosticWorkspaceId: '<diagnosticWorkspaceId>'
     domainNameLabel: [
-      '<<namePrefix>>-az-gw-vpn-dm-001'
+      '<<namePrefix>>-dm-nvngavpn'
     ]
     lock: 'CanNotDelete'
     publicIpZones: [
@@ -285,15 +284,16 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
     roleAssignments: [
       {
         principalIds: [
-          '<<deploymentSpId>>'
+          '<managedIdentityPrincipalId>'
         ]
+        principalType: 'ServicePrincipal'
         roleDefinitionIdOrName: 'Reader'
       }
     ]
     vpnClientAadConfiguration: {
       aadAudience: '41b23e61-6c1e-4545-b367-cd054e0ed4b4'
-      aadIssuer: ''https://sts.windows.net/<<tenantId>>/'
-      aadTenant: 'https://login.microsoftonline.com/<<tenantId>>/'
+      aadIssuer: 'https://sts.windows.net/${tenant().tenantId}/'
+      aadTenant: '<aadTenant>'
       vpnAuthenticationTypes: [
         'AAD'
       ]
@@ -320,7 +320,7 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
   "parameters": {
     // Required parameters
     "name": {
-      "value": "<<namePrefix>>-az-gw-aadvpn-001"
+      "value": "<<namePrefix>>nvngavpn001"
     },
     "virtualNetworkGatewaySku": {
       "value": "VpnGw2AZ"
@@ -329,30 +329,27 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
       "value": "Vpn"
     },
     "vNetResourceId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-vgw-002"
+      "value": "<vNetResourceId>"
     },
     // Non-required parameters
     "activeActive": {
       "value": false
     },
     "diagnosticEventHubAuthorizationRuleId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
+      "value": "<diagnosticEventHubAuthorizationRuleId>"
     },
     "diagnosticEventHubName": {
-      "value": "adp-<<namePrefix>>-az-evh-x-001"
-    },
-    "diagnosticLogsRetentionInDays": {
-      "value": 7
+      "value": "<diagnosticEventHubName>"
     },
     "diagnosticStorageAccountId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
+      "value": "<diagnosticStorageAccountId>"
     },
     "diagnosticWorkspaceId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
+      "value": "<diagnosticWorkspaceId>"
     },
     "domainNameLabel": {
       "value": [
-        "<<namePrefix>>-az-gw-vpn-dm-001"
+        "<<namePrefix>>-dm-nvngavpn"
       ]
     },
     "lock": {
@@ -367,8 +364,9 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
       "value": [
         {
           "principalIds": [
-            "<<deploymentSpId>>"
+            "<managedIdentityPrincipalId>"
           ],
+          "principalType": "ServicePrincipal",
           "roleDefinitionIdOrName": "Reader"
         }
       ]
@@ -376,8 +374,8 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
     "vpnClientAadConfiguration": {
       "value": {
         "aadAudience": "41b23e61-6c1e-4545-b367-cd054e0ed4b4",
-        "aadIssuer": "'https://sts.windows.net/<<tenantId>>/",
-        "aadTenant": "https://login.microsoftonline.com/<<tenantId>>/",
+        "aadIssuer": "https://sts.windows.net/${tenant().tenantId}/",
+        "aadTenant": "<aadTenant>",
         "vpnAuthenticationTypes": [
           "AAD"
         ],
@@ -404,27 +402,27 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
 
 ```bicep
 module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy.bicep' = {
-  name: '${uniqueString(deployment().name)}-VirtualNetworkGateways'
+  name: '${uniqueString(deployment().name)}-test-nvger'
   params: {
     // Required parameters
-    name: '<<namePrefix>>-az-gw-er-001'
+    name: '<<namePrefix>>nvger001'
     virtualNetworkGatewaySku: 'ErGw1AZ'
     virtualNetworkGatewayType: 'ExpressRoute'
-    vNetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001'
+    vNetResourceId: '<vNetResourceId>'
     // Non-required parameters
-    diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
-    diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
+    diagnosticEventHubAuthorizationRuleId: '<diagnosticEventHubAuthorizationRuleId>'
+    diagnosticEventHubName: '<diagnosticEventHubName>'
     diagnosticLogsRetentionInDays: 7
-    diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
-    diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
+    diagnosticStorageAccountId: '<diagnosticStorageAccountId>'
+    diagnosticWorkspaceId: '<diagnosticWorkspaceId>'
     domainNameLabel: [
-      '<<namePrefix>>-az-gw-er-dm-001'
+      '<<namePrefix>>-dm-nvger'
     ]
-    gatewayPipName: '<<namePrefix>>-az-gw-er-001-pip'
+    gatewayPipName: '<<namePrefix>>-pip-nvger'
     roleAssignments: [
       {
         principalIds: [
-          '<<deploymentSpId>>'
+          '<managedIdentityPrincipalId>'
         ]
         roleDefinitionIdOrName: 'Reader'
       }
@@ -455,7 +453,7 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
   "parameters": {
     // Required parameters
     "name": {
-      "value": "<<namePrefix>>-az-gw-er-001"
+      "value": "<<namePrefix>>nvger001"
     },
     "virtualNetworkGatewaySku": {
       "value": "ErGw1AZ"
@@ -464,37 +462,37 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
       "value": "ExpressRoute"
     },
     "vNetResourceId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001"
+      "value": "<vNetResourceId>"
     },
     // Non-required parameters
     "diagnosticEventHubAuthorizationRuleId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
+      "value": "<diagnosticEventHubAuthorizationRuleId>"
     },
     "diagnosticEventHubName": {
-      "value": "adp-<<namePrefix>>-az-evh-x-001"
+      "value": "<diagnosticEventHubName>"
     },
     "diagnosticLogsRetentionInDays": {
       "value": 7
     },
     "diagnosticStorageAccountId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
+      "value": "<diagnosticStorageAccountId>"
     },
     "diagnosticWorkspaceId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
+      "value": "<diagnosticWorkspaceId>"
     },
     "domainNameLabel": {
       "value": [
-        "<<namePrefix>>-az-gw-er-dm-001"
+        "<<namePrefix>>-dm-nvger"
       ]
     },
     "gatewayPipName": {
-      "value": "<<namePrefix>>-az-gw-er-001-pip"
+      "value": "<<namePrefix>>-pip-nvger"
     },
     "roleAssignments": {
       "value": [
         {
           "principalIds": [
-            "<<deploymentSpId>>"
+            "<managedIdentityPrincipalId>"
           ],
           "roleDefinitionIdOrName": "Reader"
         }
@@ -525,22 +523,22 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
 
 ```bicep
 module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy.bicep' = {
-  name: '${uniqueString(deployment().name)}-VirtualNetworkGateways'
+  name: '${uniqueString(deployment().name)}-test-nvgvpn'
   params: {
     // Required parameters
-    name: '<<namePrefix>>-az-gw-vpn-001'
+    name: '<<namePrefix>>nvgvpn001'
     virtualNetworkGatewaySku: 'VpnGw1AZ'
     virtualNetworkGatewayType: 'Vpn'
-    vNetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001'
+    vNetResourceId: '<vNetResourceId>'
     // Non-required parameters
     activeActive: true
-    diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
-    diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
+    diagnosticEventHubAuthorizationRuleId: '<diagnosticEventHubAuthorizationRuleId>'
+    diagnosticEventHubName: '<diagnosticEventHubName>'
     diagnosticLogsRetentionInDays: 7
-    diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
-    diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
+    diagnosticStorageAccountId: '<diagnosticStorageAccountId>'
+    diagnosticWorkspaceId: '<diagnosticWorkspaceId>'
     domainNameLabel: [
-      '<<namePrefix>>-az-gw-vpn-dm-001'
+      '<<namePrefix>>-dm-nvgvpn'
     ]
     lock: 'CanNotDelete'
     publicIpZones: [
@@ -549,7 +547,7 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
     roleAssignments: [
       {
         principalIds: [
-          '<<deploymentSpId>>'
+          '<managedIdentityPrincipalId>'
         ]
         roleDefinitionIdOrName: 'Reader'
       }
@@ -573,7 +571,7 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
   "parameters": {
     // Required parameters
     "name": {
-      "value": "<<namePrefix>>-az-gw-vpn-001"
+      "value": "<<namePrefix>>nvgvpn001"
     },
     "virtualNetworkGatewaySku": {
       "value": "VpnGw1AZ"
@@ -582,30 +580,30 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
       "value": "Vpn"
     },
     "vNetResourceId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001"
+      "value": "<vNetResourceId>"
     },
     // Non-required parameters
     "activeActive": {
       "value": true
     },
     "diagnosticEventHubAuthorizationRuleId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
+      "value": "<diagnosticEventHubAuthorizationRuleId>"
     },
     "diagnosticEventHubName": {
-      "value": "adp-<<namePrefix>>-az-evh-x-001"
+      "value": "<diagnosticEventHubName>"
     },
     "diagnosticLogsRetentionInDays": {
       "value": 7
     },
     "diagnosticStorageAccountId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
+      "value": "<diagnosticStorageAccountId>"
     },
     "diagnosticWorkspaceId": {
-      "value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
+      "value": "<diagnosticWorkspaceId>"
     },
     "domainNameLabel": {
       "value": [
-        "<<namePrefix>>-az-gw-vpn-dm-001"
+        "<<namePrefix>>-dm-nvgvpn"
       ]
     },
     "lock": {
@@ -620,7 +618,7 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy
       "value": [
         {
           "principalIds": [
-            "<<deploymentSpId>>"
+            "<managedIdentityPrincipalId>"
           ],
           "roleDefinitionIdOrName": "Reader"
         }