What it is
An Application Gateway that is wired up with backends and listeners but receives no real traffic. The application behind it moved, was retired, or the gateway was stood up for a launch that slipped, and it keeps billing its flat hourly rate while returning zero backend responses.
Why it happens
An Application Gateway v2 bills a flat hourly charge just for running, plus capacity-unit charges when it is under load. A gateway that handles no requests still pays the hourly floor around the clock, and the only ways to end that charge are to stop the gateway (az network application-gateway stop, which halts billing while it is stopped) or delete it. Left running, it bills whether or not a single request reaches it.
Idle gateways are easy to miss because they look healthy. The listeners are configured, the backend pool is populated, nothing is in an error state. The only signal is that no real requests are reaching the backends, which Azure will not surface for you. So the gateway sits behind a DNS name nobody uses, billing every hour.
What it costs / blast radius
The fixed hourly charge does not scale with instance size, because v2 has no instance sizes; it autoscales via capacity units (CUs) under load. At list price the fixed portion is roughly $144/month (about $1,700/year) for a Standard_v2 gateway and near $260/month for WAF_v2, regardless of how large it grows. (List price; capacity-unit charges under load are separate and your contract may differ.) That flat floor is owed no matter how little traffic flows, so an idle gateway pays it in full for serving nothing, while a busy one adds CU charges on top.
See it
Resources
| where type =~ 'microsoft.network/applicationgateways'
| extend tier = tostring(properties.sku.tier)
| where tier in~ ('Standard_v2', 'WAF_v2')
| project name, resourceGroup, subscriptionId, location, tier,
state = tostring(properties.operationalState)// Check backend response volume over the last week before removing it.
az monitor metrics list \
--resource appgw-prod --resource-group rg-network \
--metric BackendResponseStatus --interval PT1H \
--start-time 2026-06-23T00:00:00Z
// If backends have served nothing and the app is gone, delete the gateway.
az network application-gateway delete \
--name appgw-prod --resource-group rg-networkHow StratoLens helps
StratoLens tracks backend traffic on every Application Gateway across every subscription and flags the ones sitting idle, with the per-gateway monthly cost attached. You don't have to remember which app moved off which gateway; the check runs continuously so a gateway serving no one can't keep billing its hourly floor unnoticed.