What it is
An Azure Bastion host deployed into a virtual network that no longer has VMs anyone connects to, or that gets used a few hours a month. Bastion bills for every hour it is deployed, not for the sessions it actually serves.
Why it happens
Bastion is provisioned per-VNet as an always-on managed service and billed by the deployment-hour plus outbound data. Unlike a VM, you can't "stop" it to pause the meter, the only way to stop paying is to delete the host.
It gets stranded when the workloads in its VNet are decommissioned, or when it was stood up for a one-off migration and never torn down. Because it's a security convenience, nobody wants to be the one who removes it.
What it costs / blast radius
A Basic SKU Bastion is roughly $0.19/hour, about $140/month at list price, before outbound data. (List price; Standard SKU and scale units cost more.) That's ~$1,700/year for jump-box access that, in an abandoned VNet, no one is using.
See it
Resources
| where type =~ 'microsoft.network/bastionhosts'
| project name, resourceGroup, subscriptionId, location,
sku = sku.nameaz network bastion delete \
--name bastion-legacy --resource-group rg-legacy
// Bastion redeploys in minutes when a real need returns.How StratoLens helps
StratoLens flags Bastion hosts in VNets with little or no live workload across every subscription, with the monthly cost attached, so an always-on charge in a forgotten environment can't quietly run for a year. It watches for the idle case so you don't have to audit for it.