Skip to content

enhancement: Add network resource orphan detection (NICs, Route Tables, LBs, NAT GWs) #22

Closed
Closed
enhancement: Add network resource orphan detection (NICs, Route Tables, LBs, NAT GWs)#22
Labels
enhancementNew feature or requestpriority:highHigh priority
Milestone
v0.4.0 — Extended Coverage
@Daren9m

Description

@Daren9m
Daren9m
opened on Mar 20, 2026

Problem

Current network resource detection covers NSGs and Public IPs only. Several commonly-orphaned network resource types are missing:

Missing Network Orphan Types

Resource Type Orphan Signal Cost Impact Frequency
Network Interfaces (NICs) Not attached to any VM Free but clutter Very common
Route Tables Not associated with any subnet Free but clutter Common
Load Balancers No backend pool members Standard SKU = ~$18/mo Common
NAT Gateways Not associated with any subnet ~$32/mo + data charges Moderate
Application Gateways No backend pool members ~$175+/mo Rare but expensive
Private DNS Zones No virtual network links or zero records Free but clutter Common
VNet Peerings Peer VNet deleted (Disconnected state) Free but broken Moderate
Private Endpoints Target resource deleted Free but broken Moderate

NICs are the #1 Orphan

When a VM is deleted, Azure often leaves the NIC behind. In large dev tenants, orphaned NICs accumulate fast and make resource groups look non-empty (blocking empty-RG cleanup).

Proposed Implementation

New KQL Queries

// 11-orphaned-nics.kql — NICs not attached to any VM
resources
| where type =~ "microsoft.network/networkinterfaces"
| where isnull(properties.virtualMachine.id)
| project subscriptionId, resourceGroup, name, location,
    ipConfigurations = properties.ipConfigurations,
    createdTime = properties.provisioningState,
    tags

// 12-orphaned-route-tables.kql — Route tables with no subnet associations
resources
| where type =~ "microsoft.network/routetables"
| where array_length(properties.subnets) == 0 or isnull(properties.subnets)

// 13-empty-load-balancers.kql — LBs with no backend pool members
resources
| where type =~ "microsoft.network/loadbalancers"
| where array_length(properties.backendAddressPools) == 0
    or properties.backendAddressPools[0].properties.loadBalancerBackendAddresses == "[]"

New Cleanup Script

  • cleanup/Remove-OrphanedNICs.ps1 — safe NIC cleanup (most impactful)
  • Excludes NICs created by AKS, Application Gateway, or other managed services
  • Supports -WhatIf and lock checks

Acceptance Criteria

  • KQL queries added for all network orphan types
  • Results appear in XLSX report
  • NIC cleanup script with managed-service exclusions
  • At least NICs and Route Tables integrated into Invoke-TenantDiscovery.ps1

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestpriority:highHigh priority

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions