The Azure Footgun Database
The ways Azure quietly costs you money or exposes you to risk, documented one by one. What it is, why it happens, what it costs, and how to fix it.
Every entry has a stable ID: AZF-0001 is Azure Footgun No. 1. Search or filter by service, category, or ID.
A forgotten DDoS Protection Plan bills ~$2,944/mo while protecting nothing
Network DDoS Protection Plans charge a flat monthly fee even with zero VNets attached. A detached plan is pure waste.
Key Vault purge protection is off by default, so a deleted vault can be gone for good
Without purge protection, a deleted Key Vault can be permanently purged before the retention window ends, taking the data its keys encrypted with it.
An unattached managed disk bills its full provisioned size forever
Delete a VM and its data disks usually survive. A managed disk in the Unattached state bills its full provisioned capacity whether or not anything reads it.
A reserved Standard public IP keeps billing after whatever it fronted is gone
Standard SKU public IPs are always statically allocated and always billed. When the load balancer or NIC they fronted goes away, the IP keeps charging.
An Azure Bastion bills by the hour even on the days nobody connects
Bastion is billed per deployment-hour, not per session. A host left running in a low-traffic or abandoned VNet charges around the clock for sessions nobody opens.
An NSG rule allowing 0.0.0.0/0 inbound puts a management port on the public internet
A single inbound allow rule with source Any (0.0.0.0/0) on a management port turns a VM into a target for the internet's background scanning traffic.
Stop hunting these one at a time
StratoLens checks for every footgun in this database across all your subscriptions, continuously, inside your own Azure tenant. You find out from a report, not from the bill.
Available now on the Azure Marketplace.
Built for Azure infrastructure teams who need complete visibility across their entire estate.