What it is
A Front Door WAF policy (Microsoft.Network/frontDoorWebApplicationFirewallPolicies) that is not attached to any Front Door profile. A WAF policy only inspects the traffic of the security policies or frontend endpoints linked to it, so a policy with neither link filters nothing. It still bills a per-policy monthly rate for as long as it exists.
Why it happens
A WAF policy and the Front Door profile it protects are separate resources. The policy carries the managed rule sets and custom rules; the profile references the policy through a security-policy link (Standard/Premium) or a frontend-endpoint link (Classic). Delete or rebuild the Front Door profile and the policy is left behind with both link collections empty, still holding its rules but wired to nothing.
Azure does not warn you that a policy has stopped protecting anything. The resource is valid, its rules are intact, and it looks exactly like a working WAF in the portal. Only the missing links tell you it is inert, and nobody checks link collections during a cost review.
What it costs / blast radius
On the classic Front Door tier a WAF policy carries its own per-policy fee, roughly $5 to $20/month at list price depending on rule configuration, billed whether or not it is attached to a profile. (List price; your contract may differ.) Front Door Standard and Premium bundle WAF differently, with managed rule sets included in Premium rather than charged as a standalone per-policy line, so it is the classic tier where an orphaned policy keeps billing while attached to nothing. The cost is modest per policy, but there is a second, quieter problem that applies on any tier: an orphaned WAF policy reads as protection that isn't there. Someone reviewing the environment sees a WAF and assumes the front door is covered, when the policy inspects zero requests. Delete it or re-link it, but do not leave it looking like a control it no longer is.
See it
Resources
| where type =~ 'microsoft.network/frontdoorwebapplicationfirewallpolicies'
| extend secLinks = array_length(properties.securityPolicyLinks)
| extend feLinks = array_length(properties.frontendEndpointLinks)
| where (isnull(secLinks) or secLinks == 0)
and (isnull(feLinks) or feLinks == 0)
| project name, resourceGroup, subscriptionId// If a Front Door should be using it, re-attach it. Otherwise remove it
// so it stops billing and stops looking like protection that isn't there.
az network front-door waf-policy delete \
--name corpWafPolicy \
--resource-group rg-edgeHow StratoLens helps
StratoLens checks every subscription for Front Door WAF policies with no live profile association and surfaces them with their per-policy cost, so an inert policy can't sit on the bill or masquerade as active protection. The check runs continuously; you don't have to remember it exists.