What it is
A deployed Azure VPN Gateway carrying no active site-to-site or point-to-site connections. The tunnels it was built for are gone, migrated to ExpressRoute, or were never finished, but the gateway keeps running and keeps billing the full hourly rate for its SKU.
Why it happens
A VPN Gateway is priced as a flat hourly charge tied to its SKU, not to traffic or tunnel count. There is no "stopped" or "deallocated" state the way a VM has, so once the gateway exists it bills around the clock until you delete it.
Gateways outlive their purpose quietly. A hybrid link gets cut over to ExpressRoute, a partner connection is decommissioned, or a proof-of-concept tunnel is torn down, and the gateway is left in place "in case we need it again." Nothing about it is misconfigured, so it survives reviews. Azure gives no signal that zero tunnels are up.
What it costs / blast radius
SKU sets the floor. At list price a VpnGw1 is roughly $140/month (about $1,700/year), and higher tiers climb steeply, with VpnGw2 near $365/month and VpnGw3 near $910/month. (List price; your contract may differ.) An idle Basic gateway is cheaper, closer to $27/month, but the larger production SKUs are where a forgotten gateway quietly runs into four figures a year for zero connectivity.
See it
Resources
| where type =~ 'microsoft.network/virtualnetworkgateways'
| where properties.gatewayType =~ 'Vpn'
| project name, resourceGroup, subscriptionId, location,
sku = tostring(properties.sku.name),
gatewayType = tostring(properties.gatewayType)// Check for any live connections before removing the gateway.
az network vpn-connection list \
--resource-group rg-network \
--query "[?contains(virtualNetworkGateway1.id, 'vpngw-prod')].{name:name,status:connectionStatus}"
// If nothing is connected and nothing needs it, delete the gateway.
az network vnet-gateway delete \
--name vpngw-prod --resource-group rg-networkHow StratoLens helps
StratoLens watches connection activity on every VPN Gateway across every subscription and flags the ones sitting idle, with the per-gateway monthly cost attached. You don't have to remember which hybrid links were retired months ago; the check runs continuously so an idle gateway can't keep billing in a subscription nobody opens.