Skip to main content
Back to the Azure Footguns Database
CostMediumOccasionalAZF-0015

An attached NAT Gateway passing zero traffic keeps billing — there is no paused state

A NAT Gateway still wired to a subnet but moving zero bytes and packets keeps billing its hourly base rate. Azure has no way to pause it.

Footgun ID
AZF-0015 (Azure Footgun No. 15)
Azure service
Azure NAT Gateway
Resource type
Microsoft.Network/natGateways
Updated
July 1, 2026

What it is

A NAT Gateway that is still associated with one or more subnets but is passing no traffic at all: zero ByteCount, zero PacketCount for the whole measurement window. It looks healthy and attached, so it survives inventory reviews, but nothing behind it is actually using outbound NAT.

Impact (cost)
~$32/month at list price for the base resource charge, plus data-processing, even at zero bytes
Basis: Azure list price. Figures are estimates, not measurements.

Why it happens

NAT Gateway bills a flat hourly charge for simply existing, plus a per-gigabyte data-processing fee. The hourly base is independent of traffic, and there is no stop or deallocate state the way there is for a VM. So when the workloads behind a subnet are torn down, migrated to a Private Link path, or moved to a different egress design, the gateway keeps running on an otherwise empty subnet.

Because the resource is still "attached," the plain orphan check that looks for a NAT Gateway with no subnets never fires. You need to look at the traffic metrics, not just the topology, to tell that it went idle.

What it costs / blast radius

The base resource charge is roughly $32/month at list price (about $0.045/hour) before any data processing, and it accrues whether the gateway moves a terabyte or nothing at all. (List price; your contract may differ.) One idle gateway is a small line item; a handful left behind across subscriptions after a network redesign quietly adds up, all for outbound NAT that no workload is requesting.

See it

Find candidates: NAT Gateways still attached to a subnet
Resources
| where type =~ 'microsoft.network/natGateways'
| where isnotnull(properties.subnets) and array_length(properties.subnets) > 0
| project name, resourceGroup, subscriptionId, location
Confirm zero traffic, then detach and delete
// A gateway that moved zero bytes over the window is idle.
az monitor metrics list --resource <natgw-id> \
  --metric ByteCount --interval P1D --aggregation Total

// If nothing used it, remove the subnet association and delete it.
az network vnet subnet update --vnet-name <vnet> --name <subnet> \
  --resource-group rg --remove natGateway
az network nat gateway delete --name <natgw> --resource-group rg

How StratoLens helps

StratoLens looks past topology to traffic: it flags NAT Gateways that are still attached but have gone idle, with the date traffic last flowed and the monthly cost still accruing, automatically and continuously across every subscription in your tenant. An idle gateway on a forgotten subnet stops being something you have to remember to go check.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.