Skip to main content
Back to the Azure Footguns Database
CostGovernanceLowOccasionalAZF-0017

An empty Traffic Manager profile routes nothing and holds a DNS name for no reason

A Traffic Manager profile with no endpoints can resolve nothing, yet it holds a trafficmanager.net name and sits in inventory as finished-looking dead config.

Footgun ID
AZF-0017 (Azure Footgun No. 17)
Azure service
Azure Traffic Manager
Resource type
Microsoft.Network/trafficManagerProfiles
Updated
July 1, 2026

What it is

A Traffic Manager profile whose endpoints list is empty or missing. With no endpoints there is nothing to route to, so any DNS query against it returns nothing useful. The profile still exists, still claims its *.trafficmanager.net name, and still shows up as a configured resource.

Impact (cost)
Negligible standalone charge — Traffic Manager has no per-profile fee; the cost is the abandoned config it signals
Basis: Azure list price. Figures are estimates, not measurements.

Why it happens

Traffic Manager is a DNS-based traffic router, and its billing is driven by DNS queries and by monitored endpoints, not by a flat per-profile fee. An empty profile therefore has almost nothing to charge for, which is exactly why it is easy to leave behind: it looks harmless on the bill.

Profiles usually go empty when the endpoints behind them, App Services, public IPs, or nested profiles, are deleted during a migration or teardown while the profile itself is left in place. Azure does not flag a profile that can no longer route anything, so it lingers as finished-looking configuration that does nothing.

What it costs / blast radius

The direct charge is essentially zero: Traffic Manager bills per million DNS queries and per monitored endpoint, and an empty profile has neither. (List price; your contract may differ.) The real harm is governance and hygiene. The profile occupies a global DNS namespace, and it is a false positive in every "what is this for" review, a piece of dead config that makes the environment harder to reason about and easier to misjudge during an incident.

See it

Find them: Traffic Manager profiles with no endpoints
Resources
| where type =~ 'microsoft.network/trafficmanagerprofiles'
| where isnull(properties.endpoints) or array_length(properties.endpoints) == 0
| project name, resourceGroup, subscriptionId,
          profileStatus = properties.profileStatus
Fix: delete the empty profile (or add the endpoints it was meant to route)
az network traffic-manager profile delete \
  --name <profile> --resource-group rg

How StratoLens helps

StratoLens surfaces Traffic Manager profiles with no endpoints automatically and continuously across every subscription, so the abandoned ones do not quietly accumulate as dead DNS config. It is a small cleanup individually, but having it flagged for you means it actually gets done instead of being rediscovered during the next audit.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.