Skip to main content
Back to the Azure Footguns Database
CostMediumCommonAZF-0023

A single resource's daily spend spikes above its baseline while the subscription budget stays quiet

One resource's daily cost jumps sharply above its normal level. Subscription-total budget alerts don't see it, so the spike inflates the bill until month-end.

Footgun ID
AZF-0023 (Azure Footgun No. 23)
Azure service
Azure Cost Management
Resource type
Microsoft.CostManagement/query
Updated
July 1, 2026

What it is

A sudden, sharp increase in one resource's daily spend above the level it normally runs at, a data-egress burst, a runaway autoscale, a log pipeline that started ingesting far more than usual. The resource keeps working, so the only symptom is a bill that comes in higher than expected, often noticed weeks after the spike started.

Impact (cost)
The overspend equals the gap between a resource's baseline daily cost and its spiked daily cost, sustained until someone notices
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

The native guardrail most teams rely on is a budget alert, and a budget watches a total against a fixed threshold, usually a whole subscription or resource group. A single resource can double or triple its own daily cost and stay completely invisible if the subscription total is still under budget, which it usually is. The alert is coarse by design: it answers "are we over our number" not "is any one resource behaving unlike itself."

Azure's own cost anomaly detection helps, but it operates at subscription scope and is not tuned to each resource's individual pattern, so a spike that is dramatic relative to one resource can be lost in the aggregate. The honest problem is one of baseline: catching a spike means comparing a resource against its own recent normal, not against a static dollar figure or a subscription-wide total.

What it costs / blast radius

The magnitude is the difference between the resource's baseline daily cost and its spiked daily cost, multiplied by every day the spike runs before anyone catches it. A threshold budget only trips once the cumulative total crosses the line, which can be most of the way through the month, so the loss is the spike times the detection lag. (Authored assessment of Azure alerting behavior, not a measured figure; the actual dollars depend entirely on the resource and how long the spike persists.)

See it

Naive guardrail: one static threshold on the whole subscription
resource budget 'Microsoft.Consumption/budgets@2023-05-01' = {
  name: 'monthly-cap'
  properties: {
    category: 'Cost'
    timeGrain: 'Monthly'
    amount: 50000            // a single fixed number for the entire subscription
    notifications: {
      over80: {
        enabled: true
        operator: 'GreaterThan'
        threshold: 80         // fires only when the TOTAL crosses 80%
        contactEmails: [ 'finops@example.com' ]
      }
    }
    // A resource that doubles its own daily spend is invisible here
    // as long as the subscription total stays under the cap.
  }
}
Better model (conceptual): judge each resource against its own recent normal
// The gap a static budget can't close: a *per-resource baseline*.
//
//   for each resource:
//     baseline = its own typical daily cost over a recent window
//     today    = its cost today
//     if today is sharply above baseline -> flag a spike
//
// The unit of comparison is the resource against itself, not the
// subscription total against a fixed dollar figure. That is what lets
// a spike on one resource surface while everything else is normal.

How StratoLens helps

StratoLens establishes what each resource's spend normally looks like and flags the ones that spike sharply above their own baseline, per resource, across every subscription, so a runaway line item surfaces on its own instead of hiding inside a subscription total that's still under budget. It runs continuously in your own tenant, so you find the spike in days, not at month-end.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.