Skip to main content
Back to the Azure Footguns Database
CostGovernanceMediumOccasionalAZF-0008

An unattached NAT Gateway routes nothing but still bills ~$32/mo base

A NAT Gateway with no subnet associations provides zero outbound connectivity, but its hourly base rate runs 24/7 with no way to pause it.

Footgun ID
AZF-0008 (Azure Footgun No. 8)
Azure service
Azure NAT Gateway
Resource type
Microsoft.Network/natGateways
Updated
July 1, 2026

What it is

A NAT Gateway that isn't attached to any subnet. Without a subnet association it provides no outbound connectivity to anything, yet it keeps billing its hourly base rate for as long as it exists.

Impact (cost)
~$32/month at list price for the base rate alone, before any data processing
Basis: Azure list price. Figures are estimates, not measurements.

Why it happens

A NAT Gateway bills a flat hourly base rate the moment it is deployed, plus per-gigabyte data processing when it is actually in use. There is no paused or stopped state, so the base rate runs continuously whether or not a single subnet points at it.

The association is a separate lifecycle from the gateway itself. Subnets get reconfigured, a VNet is redesigned, or workloads move to a different egress path, and the gateway is left with its subnets property empty or absent. It provides zero utility in that state, but nothing flags it as broken, so it lingers.

What it costs / blast radius

The base rate alone is roughly $32/month at list price, about $385/year, for a gateway that connects nothing. (List price; data-processing charges are separate and your contract may differ.) That is a modest number on its own, but an unattached NAT Gateway delivers literally zero value for it, and these accumulate one abandoned VNet redesign at a time.

See it

Find them: NAT Gateways with no subnet associations
Resources
| where type =~ 'microsoft.network/natgateways'
| extend subnetCount = array_length(properties.subnets)
| where isnull(subnetCount) or subnetCount == 0
| project name, resourceGroup, subscriptionId, location,
          sku = tostring(sku.name)
Fix: re-associate the subnet that needs egress, or delete the gateway
// If a subnet still needs outbound NAT, associate it:
az network vnet subnet update \
  --name workloads --vnet-name vnet-prod --resource-group rg-network \
  --nat-gateway natgw-prod

// Otherwise remove the orphan so the base rate stops:
az network nat gateway delete \
  --name natgw-prod --resource-group rg-network

How StratoLens helps

StratoLens inventories every NAT Gateway across every subscription and flags the ones with no subnet associations, with the monthly base cost attached. You don't have to catch the moment a subnet is detached; the check runs continuously so an unattached gateway can't quietly bill its base rate for months.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.