Skip to main content
Back to the Azure Footguns Database
CostGovernanceHighOccasionalAZF-0007

An idle VPN Gateway with zero tunnels bills ~$140/mo and up, 24/7

A VPN Gateway bills a fixed hourly rate whether or not a single tunnel is up. There is no stopped state, so an idle gateway is pure waste.

Footgun ID
AZF-0007 (Azure Footgun No. 7)
Azure service
Azure VPN Gateway
Resource type
Microsoft.Network/virtualNetworkGateways
Updated
July 1, 2026

What it is

A deployed Azure VPN Gateway carrying no active site-to-site or point-to-site connections. The tunnels it was built for are gone, migrated to ExpressRoute, or were never finished, but the gateway keeps running and keeps billing the full hourly rate for its SKU.

Impact (cost)
~$140/month at list price for a VpnGw1 with zero active connections
Basis: Azure list price. Figures are estimates, not measurements.

Why it happens

A VPN Gateway is priced as a flat hourly charge tied to its SKU, not to traffic or tunnel count. There is no "stopped" or "deallocated" state the way a VM has, so once the gateway exists it bills around the clock until you delete it.

Gateways outlive their purpose quietly. A hybrid link gets cut over to ExpressRoute, a partner connection is decommissioned, or a proof-of-concept tunnel is torn down, and the gateway is left in place "in case we need it again." Nothing about it is misconfigured, so it survives reviews. Azure gives no signal that zero tunnels are up.

What it costs / blast radius

SKU sets the floor. At list price a VpnGw1 is roughly $140/month (about $1,700/year), and higher tiers climb steeply, with VpnGw2 near $365/month and VpnGw3 near $910/month. (List price; your contract may differ.) An idle Basic gateway is cheaper, closer to $27/month, but the larger production SKUs are where a forgotten gateway quietly runs into four figures a year for zero connectivity.

See it

Find them: VPN Gateways inventoried across every subscription
Resources
| where type =~ 'microsoft.network/virtualnetworkgateways'
| where properties.gatewayType =~ 'Vpn'
| project name, resourceGroup, subscriptionId, location,
          sku = tostring(properties.sku.name),
          gatewayType = tostring(properties.gatewayType)
Fix: confirm zero active connections, then delete the idle gateway
// Check for any live connections before removing the gateway.
az network vpn-connection list \
  --resource-group rg-network \
  --query "[?contains(virtualNetworkGateway1.id, 'vpngw-prod')].{name:name,status:connectionStatus}"

// If nothing is connected and nothing needs it, delete the gateway.
az network vnet-gateway delete \
  --name vpngw-prod --resource-group rg-network

How StratoLens helps

StratoLens watches connection activity on every VPN Gateway across every subscription and flags the ones sitting idle, with the per-gateway monthly cost attached. You don't have to remember which hybrid links were retired months ago; the check runs continuously so an idle gateway can't keep billing in a subscription nobody opens.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.