Wasted Resources in Azure Subscriptions Test

The values reported by this measure and its numeric equivalents are mentioned in the table below:

Note:

By default, this measure reports the Measure Values listed in the table above to indicate the current state of this subscription. In the graph of this measure however, the same is represented using the numeric equivalents only - 0 or 1.

With the help of the detailed diagnosis of this measure, you can determine the display name and Quota ID of the monitored subscription.

The detailed diagnosis of this measure lists the name of the geographic locations that are allocated to each subscription.

The detailed diagnosis of this measure lists the name of the resource provider and the name of the resources provided through each resource provider that are active for each subscription.

The detailed diagnosis of this measure lists the name of the resource provider and the name of the resources provided through each resource provider that are inactive for each subscription.

Use the detailed diagnosis of this measure to know which resources of the target subscription are in states other than Enabled or Unknown.

Use the detailed diagnosis of this measure to know which resource groups of the target subscription are currently active.

One of the major reasons your Azure storage costs may be higher than you expect is the presence of unused virtual hard disks (VHDs) in your Azure subscription. A key Azure cost management best practice is to find and delete all of these unused resources.\

Unused disks can accumulate after migration projects, diagnostic drives of VMs, or backups, but most unused disks are orphaned disks. When VMs are deleted, the disks are not deleted automatically, which leaves behind what are known as orphaned disks. These orphaned disks take up space and incur charges that most Azure users don’t even know they’re paying.

To identify unused disks, use the detailed diagnosis of this measure.

A network interface enables an Azure Virtual Machine to communicate with internet, Azure, and on-premises resources.

It is important to identify and delete unused network interfaces, as it helps save cloud costs. Usually, it is the orphaned NICs that stay unused for a long time. When you delete a VM in Azure, the NIC attached to the VMs will only be disassociated but it will not be deleted automatically and they will be left as Orphaned NICs. To identify such NICs, use the detailed diagnosis of this measure.

An availability set is a logical grouping of VMs that allows Azure to understand how your application is built to provide for redundancy and availability.

Like other Azure resources, unused availability sets also add to your cloud usage costs. To save costs, its best to identify unused availability sets and delete them. The detailed diagnosis of this test sheds light on the unused availability sets, and for how long they have not been used. If any availability set has been unused for a considerably long time, you may want to consider deleting that set.

Use the detailed diagnosis of this test to identify Public IPs that the subscription is not using, understand how long they have remained unused, and decide whether/not such IPs can be removed. Unused resources like public IPs often add to costs, and hece should be deleted.

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Typically, empty groups with no rules and groups that are not associated with any subnets or network interfaces will not be used to filter network traffic. It is best if such unused groups are identified and deleted, as they will be unnecessarily adding to your cloud costs. To quickly identify the unused network security groups and understand how long they have been unused, use the detailed diagnosis of this measure.

A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group.

Unused resource groups impact Azure costs. To reduce this cost impact, it is recommended that you identify the unused groups and remove them. Use the detailed diagnosis of this measure for this purpose. With the help of detailed metrics, you can isolate the unused groups and the duration for which they have been idle. Based on this information, you can decide whether/not the resource group needs to be removed.

Azure automatically routes traffic between Azure subnets, virtual networks, and on-premises networks. If you want to change any of Azure's default routing, you do so by creating a route table.

One of the common reasons for a route table being unused is that it may not be associated with any subnet. Regardless of the reason for the poor usage, it is good practice to identify unused route tables and remove them, as such route tables needlessly escalate Azure costs. The detailed diagnosis of this measure leads you to unused route tables and how long they have not been used. This will help you figure out whether/not these route tables should be removed.

The detailed diagnosis of this measure leads you to the unused load balancers, reveals for how long they were idle, and thus, helps you determine whether/not they should be deleted to save Azure costs.

An Azure App Service plan provides the resources that an App Service app needs to run.

App Service plans that have no apps associated with them still incur charges because they continue to reserve the configured VM instances. Likewise, an App Service Plan will continue to be billed, even if the app associated with that plan is not run, or does not use the resources in the plan. To minimize Azure costs therefore, use the detailed diagnosis of this measure to identify such unused plans, learn how long they have been unused, and then decide whether/not you want to delete them.

Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network's address space to each subnet. You can then deploy Azure resources in a specific subnet. Just like in a traditional network, subnets allow you to segment your VNet address space into segments that are appropriate for the organization's internal network. This also improves address allocation efficiency.

Use the detailed diagnosis of this measure to identify those virtual networks that are not segmented using subnets, and determine how well such virtual networks have been utilized for communication. If the detailed metrics reveal virtual networks that have been idle for too long, you can attribute the poor usage to the absence of subnets.

Microsoft Azure Traffic Manager allows you to control how network traffic is distributed to application deployments running in different datacenters. You configure each application deployment as an 'endpoint' in Traffic Manager. When Traffic Manager receives a DNS request, it chooses an available endpoint to return in the DNS response. Traffic manager bases the choice on the current endpoint status and the traffic-routing method configured in the Traffic Manager Profile.

For the Azure Traffic Manager to work efficiently, you need to add one/more endpoints to a Traffic Manager Profile. Profiles without endpoints serve no purpose other than adding to your Azure costs. To minimize costs therefore, you need to identify those profiles that are not tied to any endpoints. The detailed diagnosis of this measure points you to such profiles and also reveals the duration for which such profiles were unused. Based on these detailed metrics, you can choose either to add endpoints to a profile and promote its usage, or to simply delete the profile and optimize costs.

Use the detailed diagnosis of this measure to identify those profiles that are disabled.

Use the detailed diagnosis to know which are the old snapshots and how much storage space they occupy. You may want to consider deleting those old snapshots that are hogging storage space.

An Azure Batch account is a uniquely identified entity within the Batch service. All processing and resources are associated with a Batch account. When your application makes a request against the Batch service, it authenticates the request using the Azure Batch account name, the URL of the account, and either an access key or an Azure Active Directory token. You can run multiple Batch workloads in a single Batch account. You can also distribute your workloads among Batch accounts that are in the same subscription but located in different Azure regions.

Use the detailed diagnosis to identify those batch accounts that are currently not in use. You may want to reconsider deleting the batch accounts that are no longer in use.

Azure Notification Hubs has two resource levels: hubs and namespaces. A hub is a single push resource that can hold the cross-platform push information of one app. A namespace is a collection of hubs in one region.

Use the detailed diagnosis of this measure to identify the namespaces that are not in use in the subscription.

Use the detailed diagnosis of this measure identify those virtual network gateway connections that are not connected to.

Azure Service Bus supports reliable message queuing and durable publish/subscribe messaging. The messaging entities that form the core of the messaging capabilities in Service Bus are queues, topics and subscriptions.

Use the detailed diagnosis to identify the service bus queues that are disabled in the Azure subscription.

An Azure storage account contains all of your Azure Storage data objects, including blobs, file shares, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that's accessible from anywhere in the world over HTTP or HTTPS. Data in your storage account is durable and highly available, secure, and massively scalable.

Use the detailed diagnosis to identify those storage accounts that are unused and the number of days since it was last used.

A webhook allows an external service to start a particular runbook in Azure Automation through a single HTTP request.

Use the detailed diagnosis of this measure to identify those webhooks that had expired and the number of days since expiry.

A function app lets you group functions as a logical unit for easier management, deployment, scaling, and sharing of resources.

Use the detailed diagnosis of this measure to identify those function apps that are unused and the number of days since the function apps were last used. Using this information administrators can consider deleting those function apps.

Logic App is an Azure workflow or orchestration tool that moves data along a path or starts processes with the use of connectors. Logic Apps enables serverless applications to automate and orchestrate business processes and workflows.

Use the detailed diagnosis to identify the Logic Apps that are disabled and the number of days since the Logic Apps were disabled.

Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection for your web applications. WAF defends your web services against common exploits and vulnerabilities. It keeps your service highly available for your users and helps you meet compliance requirements.

WAF on Front Door is a global and centralized solution. It's deployed on Azure network edge locations around the globe. WAF enabled web applications inspect every incoming request delivered by Front Door at the network edge.

You can configure a WAF policy and associate that policy to one or more Front Door front-ends for protection. A WAF policy consists of two types of security rules:

• custom rules that are authored by the customer.

• managed rule sets that are a collection of Azure-managed pre-configured set of rules.

Use the detailed diagnosis to identify those WAF policies that are not used.

Use the detailed diagnosis of this measure to identify those web API connections that are unused.

Orphaned roles typically refer to roles that are assigned to a user or service principal but have no corresponding resource group or subscription. This situation can occur due to various reasons such as resource deletion, subscription removal, or user account deletion.

Role assignments with disabled users refer to situations where a user account that has been granted a role within an Azure subscription, resource group, or resource is subsequently disabled. This could happen due to various reasons such as employee departure, account suspension, or security measures.

When an Azure subscription has a high amount of wasted resources (i.e., idle, unused, or overprovisioned services), the impact can be significant across cost, performance, governance, and security.

The total cost of wasted resources should be ideally 0.

An expired web certificate in an Azure subscription is an SSL/TLS certificate associated with a resource (such as an App Service, Application Gateway, Key Vault, etc.) that has passed its expiration date, making it invalid for securing HTTPS connections.

Use the detailed diagnosis of this measure to identify the name of the expired certificate, the resource group to which the certificate belongs to, location, expired date of the certificate, number of expired days, and the tags to which the certificate belong to.

A Private Endpoint is a network interface that securely connects you to an Azure service (like a storage account, SQL DB, etc.) over a private IP within your Virtual Network (VNet).

A disconnected private endpoint in Azure refers to a Private Endpoint that is not successfully connected to its target resource, often due to missing approval, resource deletion, or configuration errors.

Use the detailed diagnosis of this measure to identify the name of the private endpoint, the resource group to which the private endpoint belongs to, location, and the tags to which the private endpoint belong to.

An unused subnet in Azure is a subnet within a Virtual Network (VNet) that has no active resources deployed in it and is not currently being used for any network functions like routing, delegation, or service integration.

Use the detailed diagnosis of this measure to identify the name of the subnet, the resource group to which the subnet belongs to, location, and the tags to which the subnet belong to.

An unused Application Gateway in Azure refers to an Application Gateway resource that is deployed but not actively serving traffic, has no backend targets, or is not associated with any listeners or routing rules.

Use the detailed diagnosis of this measure to identify the name of the application gateway, the resource group to which the application gateway belong to, location, and the tags to which the application gateway belong to.

An unused Virtual Network Gateway in Azure is a provisioned gateway (VPN) that is not currently connected to any remote network, not handling any traffic, or not associated with any connections, but is still incurring charges.

Use the detailed diagnosis of this measure to identify the name of the virtual network gateway, the resource group to which the virtual network gateway belong to, location, and the tags to which the virtual network gateway belong to.