What it is
A NAT Gateway that is still associated with one or more subnets but is passing no traffic at all: zero ByteCount, zero PacketCount for the whole measurement window. It looks healthy and attached, so it survives inventory reviews, but nothing behind it is actually using outbound NAT.
Why it happens
NAT Gateway bills a flat hourly charge for simply existing, plus a per-gigabyte data-processing fee. The hourly base is independent of traffic, and there is no stop or deallocate state the way there is for a VM. So when the workloads behind a subnet are torn down, migrated to a Private Link path, or moved to a different egress design, the gateway keeps running on an otherwise empty subnet.
Because the resource is still "attached," the plain orphan check that looks for a NAT Gateway with no subnets never fires. You need to look at the traffic metrics, not just the topology, to tell that it went idle.
What it costs / blast radius
The base resource charge is roughly $32/month at list price (about $0.045/hour) before any data processing, and it accrues whether the gateway moves a terabyte or nothing at all. (List price; your contract may differ.) One idle gateway is a small line item; a handful left behind across subscriptions after a network redesign quietly adds up, all for outbound NAT that no workload is requesting.
See it
Resources
| where type =~ 'microsoft.network/natGateways'
| where isnotnull(properties.subnets) and array_length(properties.subnets) > 0
| project name, resourceGroup, subscriptionId, location// A gateway that moved zero bytes over the window is idle.
az monitor metrics list --resource <natgw-id> \
--metric ByteCount --interval P1D --aggregation Total
// If nothing used it, remove the subnet association and delete it.
az network vnet subnet update --vnet-name <vnet> --name <subnet> \
--resource-group rg --remove natGateway
az network nat gateway delete --name <natgw> --resource-group rgHow StratoLens helps
StratoLens looks past topology to traffic: it flags NAT Gateways that are still attached but have gone idle, with the date traffic last flowed and the monthly cost still accruing, automatically and continuously across every subscription in your tenant. An idle gateway on a forgotten subnet stops being something you have to remember to go check.