What it is
A subnet inside a virtual network that holds no attached resources: no IP configurations, no private endpoints, and no service delegations. Its address range is carved out of the VNet, but nothing lives there.
Why it happens
Subnets are usually sized up front, during network design, well before the workloads that will fill them exist. Plans change: a tier gets consolidated, a migration lands somewhere else, a proof of concept is torn down. The subnet stays because deleting one feels risky and nobody is sure it is truly unused.
Azure does not charge for a subnet, so nothing on the bill ever prompts a cleanup. Meanwhile the range it reserved is unavailable to anything else in the VNet. In an address plan that is already tight, a handful of empty /24s can be the difference between fitting the next project and having to renumber. (Note that reserved subnets like GatewaySubnet, AzureBastionSubnet, and AzureFirewallSubnet can look empty in inventory while doing their job; those are not orphans.)
What it costs / blast radius
There is no meter here. An empty subnet costs nothing, so this is a governance and capacity-planning issue rather than a billing one. The blast radius is the address space it locks up and the confusion it adds to network reviews: every empty subnet is one more thing an auditor or engineer has to investigate before concluding it is safe to ignore. (Authored assessment of Azure behavior.)
See it
Resources
| where type =~ 'microsoft.network/virtualnetworks'
| mv-expand subnet = properties.subnets
| extend subnetName = tostring(subnet.name)
| where subnetName !in~ ('GatewaySubnet','AzureBastionSubnet',
'AzureFirewallSubnet','AzureFirewallManagementSubnet',
'RouteServerSubnet')
| where array_length(subnet.properties.ipConfigurations) == 0
and array_length(subnet.properties.privateEndpoints) == 0
and array_length(subnet.properties.delegations) == 0
| project vnet = name, subnetName, resourceGroup, subscriptionId,
prefix = tostring(subnet.properties.addressPrefix)// Confirm nothing is mid-deployment into it first, then remove it.
az network vnet subnet delete \
--name subnet-legacy-tier \
--vnet-name corp-vnet \
--resource-group rg-networkHow StratoLens helps
StratoLens flags empty subnets automatically and continuously across every subscription in your tenant, excluding the Azure-reserved names that only look empty, so a stale range does not sit in your address plan for years. You see which subnets reserve space without serving a workload instead of hunting through each VNet by hand.