Skip to main content
Back to the Azure Footguns Database
GovernanceLowOccasionalAZF-0045

An empty subnet reserves address space and serves no workload

A subnet with no NICs, private endpoints, or delegations carves out address space that nothing uses, quietly shrinking the range available for real workloads.

Footgun ID
AZF-0045 (Azure Footgun No. 45)
Azure service
Azure Virtual Network
Resource type
Microsoft.Network/virtualNetworks/subnets
Updated
July 1, 2026

What it is

A subnet inside a virtual network that holds no attached resources: no IP configurations, no private endpoints, and no service delegations. Its address range is carved out of the VNet, but nothing lives there.

Impact (governance)
No direct charge; the harm is wasted address space and network-plan clutter
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Subnets are usually sized up front, during network design, well before the workloads that will fill them exist. Plans change: a tier gets consolidated, a migration lands somewhere else, a proof of concept is torn down. The subnet stays because deleting one feels risky and nobody is sure it is truly unused.

Azure does not charge for a subnet, so nothing on the bill ever prompts a cleanup. Meanwhile the range it reserved is unavailable to anything else in the VNet. In an address plan that is already tight, a handful of empty /24s can be the difference between fitting the next project and having to renumber. (Note that reserved subnets like GatewaySubnet, AzureBastionSubnet, and AzureFirewallSubnet can look empty in inventory while doing their job; those are not orphans.)

What it costs / blast radius

There is no meter here. An empty subnet costs nothing, so this is a governance and capacity-planning issue rather than a billing one. The blast radius is the address space it locks up and the confusion it adds to network reviews: every empty subnet is one more thing an auditor or engineer has to investigate before concluding it is safe to ignore. (Authored assessment of Azure behavior.)

See it

Find them: subnets with no attached resources across every subscription
Resources
| where type =~ 'microsoft.network/virtualnetworks'
| mv-expand subnet = properties.subnets
| extend subnetName = tostring(subnet.name)
| where subnetName !in~ ('GatewaySubnet','AzureBastionSubnet',
                         'AzureFirewallSubnet','AzureFirewallManagementSubnet',
                         'RouteServerSubnet')
| where array_length(subnet.properties.ipConfigurations) == 0
    and array_length(subnet.properties.privateEndpoints) == 0
    and array_length(subnet.properties.delegations) == 0
| project vnet = name, subnetName, resourceGroup, subscriptionId,
          prefix = tostring(subnet.properties.addressPrefix)
Fix: delete the empty subnet to return its range to the VNet
// Confirm nothing is mid-deployment into it first, then remove it.
az network vnet subnet delete \
  --name subnet-legacy-tier \
  --vnet-name corp-vnet \
  --resource-group rg-network

How StratoLens helps

StratoLens flags empty subnets automatically and continuously across every subscription in your tenant, excluding the Azure-reserved names that only look empty, so a stale range does not sit in your address plan for years. You see which subnets reserve space without serving a workload instead of hunting through each VNet by hand.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.