Submit feedback on
Orphaned Private Endpoints After Target Service Deletion
We've received your feedback.
Thanks for reaching out!
Oops! Something went wrong while submitting the form.
Close
back arrow
Go back
Orphaned Private Endpoints After Target Service Deletion
Shailaja Beeram
CER:

CER-0318

Service Category
Networking
Cloud Provider
Azure
Service Name
Azure Private Link
Inefficiency Type
Unused Resource
Explanation

Azure Private Endpoints are network interfaces that provide private connectivity from a virtual network to Azure PaaS services such as Storage Accounts, SQL Databases, or Key Vaults. When the target service behind a private endpoint is deleted, migrated, or replaced, the private endpoint itself is not automatically removed. Instead, it transitions to a disconnected state and persists as an orphaned network resource that continues to incur hourly charges. Because private endpoints are network-layer resources managed separately from the application resources they connect to, they are frequently overlooked when services are decommissioned — particularly when the service owner and the network owner are different teams.

This pattern is especially common in development and testing environments where resources are created and destroyed frequently, but networking components are not consistently cleaned up as part of the resource lifecycle. It also occurs during production migrations, service replacements, or architecture changes. Over time, these orphaned endpoints accumulate silently — occupying private IP addresses in subnets, contributing to IP address exhaustion, and generating ongoing charges with no functional benefit. Because each private endpoint maps to a specific target resource and subresource (for example, separate endpoints are required for blob versus file storage on the same storage account), even a single decommissioned service can leave behind multiple orphaned endpoints.

Relevant Billing Model

Azure Private Endpoint billing is based on two components:

  • A per-endpoint hourly charge — incurred continuously from the moment the private endpoint is created until it is explicitly deleted, regardless of whether the target resource still exists or whether any traffic is flowing through the endpoint. Partial hours are charged as full hours.
  • Data processing charges — applied to inbound data processed through the private endpoint, with tiered pricing based on volume. These charges are only relevant when the endpoint is actively routing traffic.

A private endpoint in a disconnected or orphaned state generates zero data processing charges but continues to accrue the fixed hourly endpoint charge indefinitely. This charge persists until the endpoint resource is manually deleted by the endpoint owner. There is no automatic cleanup mechanism or grace period for disconnected endpoints.

Detection
  • Identify private endpoints in a disconnected connection state, which indicates the target resource or its private endpoint connection has been removed
  • Review private endpoints whose associated target resources (such as storage accounts, databases, or key vaults) no longer exist in the subscription or have been migrated
  • Assess virtual network subnets for private endpoints that are not associated with any currently active workload or application
  • Evaluate private endpoint inventories across development, testing, and staging environments where resource turnover is high
  • Examine private endpoints that show no data processing activity over a representative period, indicating they are not routing any traffic
  • Confirm with application and platform teams whether flagged private endpoints are still required for planned or future use
Remediation
  • Delete private endpoints that are in a disconnected state or whose target resources no longer exist, as these endpoints serve no functional purpose and cannot be reconnected
  • Incorporate private endpoint cleanup into service decommissioning procedures so that when a target resource is deleted or migrated, its associated private endpoints are reviewed and removed as part of the same process
  • Establish periodic infrastructure audits that specifically include networking resources such as private endpoints, ensuring orphaned resources are identified and removed before they accumulate
  • Implement tagging and ownership conventions for private endpoints that link them to the application or service they support, making it easier to identify orphaned resources when services change
  • Use automated governance checks to detect and alert on private endpoints in a disconnected state or with no associated target resource, enabling timely remediation
Relevant Documentation
Submit Feedback
Powered by
Copyright © PointFive | All Rights Reserved 2025
Privacy Policy
Terms & Conditions
Cookie Policy
Cookies Preferences