Skip to main content
Back to the Azure Footguns Database
GovernanceLowCommonAZF-0041

An unattached NIC costs nothing but leaves stale NSG rules pointing at a ghost

A network interface with no VM, no private endpoint, and no owning resource bills nothing, so it lingers, carrying its old NSG and IP configuration into your security posture as dead weight.

Footgun ID
AZF-0041 (Azure Footgun No. 41)
Azure service
Azure Virtual Network
Resource type
Microsoft.Network/networkInterfaces
Updated
July 1, 2026

What it is

A network interface (NIC) left behind with no attachment. Its two real attachment properties, virtualMachine and privateEndpoint, are both empty, and nothing else claims it (managedBy is unset too). Nothing routes traffic through it. It is free, so nobody has a billing reason to clean it up, and it quietly accumulates.

Impact (governance)
No direct charge; the cost is inventory noise and stale security associations
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Deleting a VM in Azure does not delete its NIC unless you opt in. NICs, disks, and public IPs are independent resources with their own lifecycles, so they routinely outlive the VM they served.

Because a NIC carries no charge, it never shows up in a cost review. It sits in inventory with its old private IP configuration and, often, an NSG association that no longer protects anything. Months later nobody remembers whether nic-app-04 is safe to remove, so it stays.

What it costs / blast radius

There is no bill here to speak of. The harm is governance and security hygiene: an unattached NIC clutters resource inventory, holds a reserved private IP configuration, and keeps a stale NSG association that muddies any audit of what your firewall rules actually apply to. When you are trying to answer "what is exposed and why," ghost NICs make the map harder to read. (Authored assessment of Azure behavior, not a measured statistic.)

See it

Find them: unattached NICs across every subscription
Resources
| where type =~ 'microsoft.network/networkInterfaces'
| where isnull(properties.virtualMachine)
    and isnull(properties.privateEndpoint)
    and isnull(properties.managedBy)
| project name, resourceGroup, subscriptionId, location,
          nsg = tostring(properties.networkSecurityGroup.id)
Fix: confirm nothing depends on it, then delete the orphan
// A NIC with no VM, private endpoint, or owner is safe to remove.
az network nic show --name nic-app-04 --resource-group rg-app \
  --query "{vm:virtualMachine, pe:privateEndpoint, managedBy:managedBy}"
az network nic delete --name nic-app-04 --resource-group rg-app

How StratoLens helps

StratoLens inventories every network interface across every subscription in your own tenant and flags the unattached ones, along with the NSG they still reference and how long they have been orphaned. Continuously and automatically, so the ghosts get cleaned up instead of quietly complicating your next security review.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.