Skip to main content
Back to the Azure Footguns Database
GovernanceLowOccasionalAZF-0044

An empty VNet provides no networking and just complicates your address plan

A virtual network with no subnets provides no networking capability at all, yet it reserves an address space and adds one more thing to reason about in every peering and IP-planning decision.

Footgun ID
AZF-0044 (Azure Footgun No. 44)
Azure service
Azure Virtual Network
Resource type
Microsoft.Network/virtualNetworks
Updated
July 1, 2026

What it is

A virtual network with an empty subnets array. Without subnets there is nowhere to place a resource, so the VNet does nothing, yet it still holds an assigned CIDR range and shows up in every network inventory. VNets are free, which is why an empty one rarely gets removed.

Impact (governance)
No direct charge; the cost is a reserved address range and governance clutter
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Empty VNets appear from abandoned landing-zone provisioning, half-finished migrations, and templates that create the VNet before the subnets that were meant to fill it. Azure never prompts you to finish or remove it, and since it carries no charge, it never draws a second look during cost reviews.

The issue is that the VNet's address space is still spoken for. Its CIDR sits in your IP plan and can collide with a future peering or range you actually need, forcing awkward workarounds. An empty vnet-staging-old looks like real infrastructure in diagrams and inventories while providing none.

What it costs / blast radius

Nothing on the bill. The harm is governance: an empty VNet reserves an address range for no benefit, clutters the network topology, and complicates IP planning and peering decisions because its CIDR still counts against your address strategy. When you are trying to keep a clean, non-overlapping address plan across subscriptions, phantom VNets are exactly the noise that trips it up. (Authored assessment of Azure behavior, not a measured statistic.)

See it

Find them: virtual networks with no subnets configured
Resources
| where type =~ 'microsoft.network/virtualNetworks'
| where array_length(coalesce(properties.subnets, dynamic([]))) == 0
| project name, resourceGroup, subscriptionId, location,
          addressSpace = properties.addressSpace.addressPrefixes
Fix: confirm it has no subnets or peerings, then delete it
// No subnets means the VNet cannot host anything; reclaim the CIDR.
az network vnet show --name vnet-staging-old --resource-group rg-net \
  --query "{subnets:subnets, peerings:virtualNetworkPeerings}"
az network vnet delete --name vnet-staging-old --resource-group rg-net

How StratoLens helps

StratoLens inventories every virtual network across every subscription in your own tenant and flags the empty ones, along with the address range each is holding, so abandoned VNets stop crowding your IP plan. Continuously and automatically, across the whole estate.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.