What it is
An Azure Private Endpoint whose privateLinkServiceConnections state is Disconnected. The endpoint still occupies a private IP in your VNet and DNS may still resolve to it, but it no longer has a live connection to the storage account, database, or other Private Link service it was created for. Traffic that depends on that private path does not reach its destination.
Why it happens
A Private Endpoint and the resource it connects to have independent lifecycles. When the target PaaS resource is deleted, recreated, or has its Private Link approval rejected or revoked, the endpoint's connection transitions to Disconnected, but the endpoint object itself is not removed. The private DNS record and the VNet's private IP allocation frequently persist, so name resolution keeps pointing clients at an endpoint that has no working connection behind it.
Nothing about this surfaces as an obvious error. The endpoint still exists, the subnet still shows it, and applications configured to use the private path just start failing to connect. Because the private DNS zone still resolves the hostname to the private IP, callers do not fall back to a public path; they hit a dead endpoint and time out. It reads as an intermittent connectivity issue rather than a broken Private Link.
What it costs / blast radius
The primary harm is broken connectivity. Any workload that was routed to the PaaS resource over this endpoint loses its private path, and because the endpoint is Disconnected rather than deleted, DNS keeps steering traffic into the failure instead of anywhere useful. The blast radius is every application relying on that private connection, and the symptom is silent failure rather than a clear alert.
The secondary harm is cost, and it is minor. A Private Endpoint runs about $0.01/hour, roughly $7.30/month, plus data-transfer charges at list price. (List price; your contract may differ.) The reason to act is the broken link, not the few dollars.
See it
Resources
| where type =~ 'microsoft.network/privateEndpoints'
| mv-expand conn = properties.privateLinkServiceConnections
| extend status = tostring(
conn.properties.privateLinkServiceConnectionState.status)
| where status =~ 'Disconnected'
| project name, resourceGroup, subscriptionId, location,
linkService = tostring(conn.properties.privateLinkServiceId), status// The connection can't be re-approved once the target is gone —
// delete the stale endpoint so DNS stops pointing at a dead path...
az network private-endpoint delete \
--name pe-storage-prod --resource-group rg-prod
// ...then recreate it against the current Private Link resource and
// re-register the private DNS A record for its new IP.How StratoLens helps
StratoLens checks every Private Endpoint across every subscription for a Disconnected connection state and flags the ones whose private path is broken, along with how long they have been disconnected and which service they last connected to. A silently failing private link stops being something you find during an incident and becomes something surfaced before it takes an app down.