Skip to main content
Back to the Azure Footguns Database
GovernanceLowRareAZF-0047

An orphaned IP Group is a stale allowlist no firewall rule references

An IP Group referenced by no firewall or firewall policy serves no purpose, but it still looks like a live allowlist that engineers assume is enforced.

Footgun ID
AZF-0047 (Azure Footgun No. 47)
Azure service
Azure Firewall
Resource type
Microsoft.Network/ipGroups
Updated
July 1, 2026

What it is

An IP Group, a reusable named set of IP addresses and CIDR ranges, that no Azure Firewall or Firewall Policy currently references. It reads like an active allowlist or blocklist, but no rule points at it, so it enforces nothing.

Impact (governance)
No direct charge; the harm is a stale, misleading network-security artifact
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

IP Groups exist to be shared across firewall rules, so they are created independently of the rules that use them. When a rule is rewritten, a policy is replaced, or a firewall is decommissioned, the reference to the IP Group disappears, but the IP Group itself survives. Azure maintains read-only back-references (properties.firewalls and properties.firewallPolicies) that show what points at a group, and an orphan is simply one where both are empty.

The danger is interpretive. Someone reviewing the environment sees an IP Group named trusted-partners full of addresses and reasonably assumes traffic from those ranges is being handled by a rule somewhere. It is not. Worse, an orphaned group can be edited in good faith, adding or removing ranges that will never take effect, creating a false sense that a change was applied.

What it costs / blast radius

Azure does not bill for IP Groups, so there is no cost angle. The blast radius is confusion in the place you least want it: network security. An orphaned IP Group misleads audits and change reviews into believing a control is in force when nothing enforces it, and stale ranges inside it can outlive the trust decisions that put them there. (Authored assessment of Azure behavior.)

See it

Find them: IP Groups referenced by no firewall or firewall policy
Resources
| where type =~ 'microsoft.network/ipgroups'
| where array_length(properties.firewalls) == 0
    and array_length(properties.firewallPolicies) == 0
| project name, resourceGroup, subscriptionId, location,
          ranges = array_length(properties.ipAddresses)
Fix: re-attach it to the rule that should use it, or delete the stale group
// Confirm nothing should reference it, then remove the orphan.
az network ip-group delete \
  --name trusted-partners \
  --resource-group rg-network

How StratoLens helps

StratoLens flags IP Groups that no firewall or policy references automatically and continuously across every subscription in your tenant, so a dead allowlist cannot masquerade as an enforced control. You see which network-security artifacts are actually wired in and which are just sitting there looking official.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.