Skip to main content
Back to the Azure Footguns Database
CostLowOccasionalAZF-0018

A Traffic Manager profile with endpoints but zero DNS queries keeps paying for health checks

A profile that still has endpoints but receives zero DNS queries keeps billing per-endpoint health monitoring for a name no client is using anymore.

Footgun ID
AZF-0018 (Azure Footgun No. 18)
Azure service
Azure Traffic Manager
Resource type
Microsoft.Network/trafficManagerProfiles
Updated
July 1, 2026

What it is

A Traffic Manager profile that is fully configured, endpoints in place, health probing active, but receiving zero DNS queries (QpsByEndpoint flat at zero) across the whole window. Unlike an empty profile, this one looks completely healthy. Nothing is missing. It is simply that no client resolves the name anymore.

Impact (cost)
~$0.36/endpoint/month at list price for health checks that keep running while nobody resolves the name
Basis: Azure list price. Figures are estimates, not measurements.

Why it happens

Traffic Manager only routes traffic when something looks up its DNS name. When the front door in front of it changes, an application is cut over to Front Door, a CNAME is repointed, or the service is retired, the clients stop querying the profile. But the profile keeps its endpoints, and Azure keeps health-checking every endpoint on your behalf, which is a billable activity that runs regardless of query volume.

Because the endpoints are still present and probing green, the empty-profile check never fires. The only tell is the query metric, and a profile that does real work looks identical to one nobody has resolved in months unless you read QpsByEndpoint.

What it costs / blast radius

The endpoint health-monitoring charge is about $0.36 per endpoint per month at list price and keeps accruing whether or not a single client resolves the name. (List price; your contract may differ.) A four-endpoint profile is only a dollar or two a month, so the dollar figure is not the point; the point is that you are paying to monitor a routing decision no traffic is asking for, and it is a reliable signal of a cutover that was never cleaned up.

See it

Find candidates: profiles that still have endpoints
Resources
| where type =~ 'microsoft.network/trafficmanagerprofiles'
| where array_length(properties.endpoints) > 0
| project name, resourceGroup, subscriptionId,
          endpointCount = array_length(properties.endpoints)
Confirm zero queries, then delete the unused profile
// Query volume tells you whether anyone still resolves the name.
az monitor metrics list --resource <profile-id> \
  --metric QpsByEndpoint --interval P1D --aggregation Total

// Zero queries over the window: delete it and stop paying for the
// health checks on a name nobody uses.
az network traffic-manager profile delete --name <profile> --resource-group rg

How StratoLens helps

StratoLens reads the query metric, not just the endpoint list, so it flags Traffic Manager profiles that still probe endpoints but receive no DNS queries, with the date the last query landed, automatically and continuously across every subscription. A profile left running after a cutover stops being invisible just because it still looks healthy.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.