What it is
An Azure DDoS Network Protection Plan that isn't associated with any virtual network. It provides no protection to anything, but it still bills the full flat monthly fee for as long as it exists.
Why it happens
DDoS Network Protection is priced as a flat monthly plan plus per-resource overage, independent of whether any VNet is attached. Plans are often created during a project, then the VNets get torn down or migrated while the plan lingers.
There is no Azure nudge telling you a plan is now protecting nothing, so it sits on the bill indefinitely. Nothing is misconfigured in a way Azure considers an error, which is exactly why it survives reviews.
What it costs / blast radius
At list price the plan is roughly $2,944/month regardless of association, about $35,000/year for a resource doing nothing. (List price; your contract may differ.) The number doesn't depend on traffic, attached resources, or whether anyone remembers the plan exists.
See it
resource ddos 'Microsoft.Network/ddosProtectionPlans@2023-09-01' = {
name: 'corp-ddos-plan'
location: location
// ...no VNet references this plan anymore
}resource vnet 'Microsoft.Network/virtualNetworks@2023-09-01' = {
name: 'corp-vnet'
location: location
properties: {
enableDdosProtection: true
ddosProtectionPlan: { id: ddos.id } // the association that justifies the cost
}
}How StratoLens helps
StratoLens checks every subscription for DDoS plans with no live VNet association and surfaces them automatically, so a $35k/year orphan can't hide in a subscription nobody opens. You don't have to remember the check exists; it runs continuously.