Finding and Removing Unused Azure Virtual Network Gateways

Azure virtual network gateways, made up of two or more Virtual Machines (VMs) attached to a given subnet, are the mechanism commonly used to bridge encrypted data traffic between cloud networks and on-premises locations over the internet.

If your organization has Azure gateways that are not being used, they need to be cleaned up to reduce security risks and lower your cloud costs.

In this guide, we will show you how to find Azure virtual network gateways that are not being used, and then delete them from your account.

Blink Automation: Ensure Unused Azure Virtual Network Gateways are Removed

Blink + Azure

Try This Automation

How to Find Unused Azure Virtual Network Gateways

Finding gateways with no connections requires some manual reviewing. Here are two methods for approaching it:

Using the Azure Portal

1. Log in to the Azure portal menu and select or search for “All resources”

2. Select a virtual network gateway.

3. Click Connections on the blade for your virtual network gateway to see the status of each connection. If there are no connections listed, then the gateway is unused and a candidate for removal.

4. If you want to verify a connection, click to open “Essentials”, which will show if the status is 'Succeeded' and 'Connected'. If the status is not ‘Succeeded’ and ‘Connected’, the connection is not active.

Once you find gateways that are not in use, you can move to the next step of deleting them.

Using the Azure CLI & Network Gateway API

1. List all of your virtual network gateways. You can run the following command and specify by resource group.

az network vnet-gateway list --resource-group

2. List all the connections for a given gateway with this API call:

GET
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworkGateways/{virtualNetworkGatewayName}/connections?api-version=2022-01-01

You’ll see an output like this that shows the connections related to the specific gateway: 

{
  "value": [
    {
      "name": "test-vpn-connection",      
      "id":
"/subscriptions/subid/resourceGroups/testrg/providers/Microsoft.Network/connections/test-vpn-connection",
      "etag": "W/\\\"00000000-0000-0000-0000-000000000000\\\"",
      "type": "Microsoft.Network/connections",
      "location": "eastus",
      "properties": {
        "provisioningState": "Succeeded",
        "resourceGuid": "00000000-0000-0000-0000-000000000000",
        "virtualNetworkGateway1": {
          "id":
"/subscriptions/subid/resourceGroups/testrg/providers/Microsoft.Network/virtualNetworkGateways/test-vpn-gateway-1"
        },
        "virtualNetworkGateway2": {
          "id":
"/subscriptions/subid/resourceGroups/testrg-2/providers/Microsoft.Network/virtualNetworkGateways/test-vpn-gateway-2"
        },
        "connectionType": "Vnet2Vnet",
        "routingWeight": 22,
        "enableBgp": true,
        "usePolicyBasedTrafficSelectors": false,
        "ipsecPolicies": [],
        "trafficSelectorPolicies": [],
        "ingressBytesTransferred": 0,
        "egressBytesTransferred": 0
      }
    }
  ]
}

If a gateway returns no value, then it has no connections and you can move to delete it.

Deleting Unused Azure Virtual Network Gateways

Once you have identified any virtual network gateways that have no connections, or ones that you know you want to remove, next you need to delete them. Here are the steps:

Using the Azure Portal

1. Go to the virtual network gateway.

• In the Azure Portal, go to All resources.
• Click to select the virtual network gateway page.

2. Delete any connections.

• Once on the page, click Connections to display all connections to the gateway. If the gateway has no connections, you can skip to Step 3.
• Click "..." on the connection name row and select Delete from the shown dropdown list.
• Click Yes to confirm, and if you wish to delete multiple connections, do so one by one. Make sure that deleting connections will not impact necessary operations. 

3. Delete the virtual network gateway.

• On the virtual network gateway page, click Overview.
• On Overview, click Delete.
• This should delete all of your selected unused Azure virtual network gateways.

Using the Azure CLI

1. Disconnect existing connections.

If you identify that a gateway has connections, but is still no longer needed, you should first remove the connections before you delete the gateway. Make sure this will not disrupt any operations that you want to continue.

az network vnet-gateway disconnect-vpn-connections --vpn-connections
					[--ids]
					[--name]
					[--no-wait]
					[--resource-group]

2. Delete the virtual network gateway:

You can use the following command to delete a specific gateway:

az network vnet-gateway delete -g MyResourceGroup -n MyVnetGateway

Follow these steps for each gateway and you’ll be able to find and remove all unnecessary gateways.

Automate Checks for Unused Azure Gateways with Blink

By following the steps above, you can find and remove unused gateways, but it's a time-intensive process. Depending on your scale, the manual reviewing required with this approach might be unfeasible.

If you want to run this check for unused gateways regularly and at scale, you need automations to help make this task routine.

With Blink, you can use this automation to identify gateways with no connections and queue them for removal.

When this automation runs, it executes the following steps:

1. Checks your Azure account to see if there are any unused virtual network gateways.
2. Sends the results to a designated email.

You can also customize this automation to add a removal step for unused gateways if approved via Slack.

There are over 5K automations in the Blink library you can use right away, or you can build new automations from scratch with drag-and-drop actions to fit your unique use case.

Get started with Blink today to see how easy automation can be.