What it is
A network interface (NIC) left behind with no attachment. Its two real attachment properties, virtualMachine and privateEndpoint, are both empty, and nothing else claims it (managedBy is unset too). Nothing routes traffic through it. It is free, so nobody has a billing reason to clean it up, and it quietly accumulates.
Why it happens
Deleting a VM in Azure does not delete its NIC unless you opt in. NICs, disks, and public IPs are independent resources with their own lifecycles, so they routinely outlive the VM they served.
Because a NIC carries no charge, it never shows up in a cost review. It sits in inventory with its old private IP configuration and, often, an NSG association that no longer protects anything. Months later nobody remembers whether nic-app-04 is safe to remove, so it stays.
What it costs / blast radius
There is no bill here to speak of. The harm is governance and security hygiene: an unattached NIC clutters resource inventory, holds a reserved private IP configuration, and keeps a stale NSG association that muddies any audit of what your firewall rules actually apply to. When you are trying to answer "what is exposed and why," ghost NICs make the map harder to read. (Authored assessment of Azure behavior, not a measured statistic.)
See it
Resources
| where type =~ 'microsoft.network/networkInterfaces'
| where isnull(properties.virtualMachine)
and isnull(properties.privateEndpoint)
and isnull(properties.managedBy)
| project name, resourceGroup, subscriptionId, location,
nsg = tostring(properties.networkSecurityGroup.id)// A NIC with no VM, private endpoint, or owner is safe to remove.
az network nic show --name nic-app-04 --resource-group rg-app \
--query "{vm:virtualMachine, pe:privateEndpoint, managedBy:managedBy}"
az network nic delete --name nic-app-04 --resource-group rg-appHow StratoLens helps
StratoLens inventories every network interface across every subscription in your own tenant and flags the unattached ones, along with the NSG they still reference and how long they have been orphaned. Continuously and automatically, so the ghosts get cleaned up instead of quietly complicating your next security review.