Skip to main content
Back to the Azure Footguns Database
ReliabilityCostMediumOccasionalAZF-0040

A Private Endpoint in the Disconnected state breaks private connectivity while still billing

A Private Endpoint whose connection status is Disconnected no longer routes to its Private Link service. Anything relying on that private path fails, and the endpoint keeps billing.

Footgun ID
AZF-0040 (Azure Footgun No. 40)
Azure service
Azure Private Link
Resource type
Microsoft.Network/privateEndpoints
Updated
July 1, 2026

What it is

An Azure Private Endpoint whose privateLinkServiceConnections state is Disconnected. The endpoint still occupies a private IP in your VNet and DNS may still resolve to it, but it no longer has a live connection to the storage account, database, or other Private Link service it was created for. Traffic that depends on that private path does not reach its destination.

Impact (reliability)
Private connectivity to the PaaS resource is broken — traffic over the endpoint silently fails
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

A Private Endpoint and the resource it connects to have independent lifecycles. When the target PaaS resource is deleted, recreated, or has its Private Link approval rejected or revoked, the endpoint's connection transitions to Disconnected, but the endpoint object itself is not removed. The private DNS record and the VNet's private IP allocation frequently persist, so name resolution keeps pointing clients at an endpoint that has no working connection behind it.

Nothing about this surfaces as an obvious error. The endpoint still exists, the subnet still shows it, and applications configured to use the private path just start failing to connect. Because the private DNS zone still resolves the hostname to the private IP, callers do not fall back to a public path; they hit a dead endpoint and time out. It reads as an intermittent connectivity issue rather than a broken Private Link.

What it costs / blast radius

The primary harm is broken connectivity. Any workload that was routed to the PaaS resource over this endpoint loses its private path, and because the endpoint is Disconnected rather than deleted, DNS keeps steering traffic into the failure instead of anywhere useful. The blast radius is every application relying on that private connection, and the symptom is silent failure rather than a clear alert.

The secondary harm is cost, and it is minor. A Private Endpoint runs about $0.01/hour, roughly $7.30/month, plus data-transfer charges at list price. (List price; your contract may differ.) The reason to act is the broken link, not the few dollars.

See it

Find them: Private Endpoints whose connection status is Disconnected
Resources
| where type =~ 'microsoft.network/privateEndpoints'
| mv-expand conn = properties.privateLinkServiceConnections
| extend status = tostring(
    conn.properties.privateLinkServiceConnectionState.status)
| where status =~ 'Disconnected'
| project name, resourceGroup, subscriptionId, location,
          linkService = tostring(conn.properties.privateLinkServiceId), status
Fix: recreate the endpoint against a live service, or delete the dead one and its DNS record
// The connection can't be re-approved once the target is gone —
// delete the stale endpoint so DNS stops pointing at a dead path...
az network private-endpoint delete \
  --name pe-storage-prod --resource-group rg-prod

// ...then recreate it against the current Private Link resource and
// re-register the private DNS A record for its new IP.

How StratoLens helps

StratoLens checks every Private Endpoint across every subscription for a Disconnected connection state and flags the ones whose private path is broken, along with how long they have been disconnected and which service they last connected to. A silently failing private link stops being something you find during an incident and becomes something surfaced before it takes an app down.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.