Finding and Removing Unused Azure Virtual Network Gateways

Azure virtual network gateways, made up of two or more Virtual Machines (VMs) attached to a given subnet, are the mechanism commonly used to bridge encrypted data traffic between cloud networks and on-premises locations over the internet.

If your organization has Azure gateways that are not being used, they need to be cleaned up to reduce security risks and lower your cloud costs.

In this guide, we will show you how to find Azure virtual network gateways that are not being used, and then delete them from your account.

How to Find Unused Azure Virtual Network Gateways

Finding gateways with no connections requires some manual reviewing. Here are two methods for approaching it:

Using the Azure Portal

1. Log in to the Azure portal menu and select or search for “All resources”

2. Select a virtual network gateway.

3. Click Connections on the blade for your virtual network gateway to see the status of each connection. If there are no connections listed, then the gateway is unused and a candidate for removal.

4. If you want to verify a connection, click to open “Essentials”, which will show if the status is 'Succeeded' and 'Connected'. If the status is not ‘Succeeded’ and ‘Connected’, the connection is not active.

Once you find gateways that are not in use, you can move to the next step of deleting them.

Using the Azure CLI & Network Gateway API

1. List all of your virtual network gateways. You can run the following command and specify by resource group.

az network vnet-gateway list --resource-group

2. List all the connections for a given gateway with this API call:

GET
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworkGateways/{virtualNetworkGatewayName}/connections?api-version=2022-01-01

You’ll see an output like this that shows the connections related to the specific gateway: 

{
  "value": [
    {
      "name": "test-vpn-connection",      
      "id":
"/subscriptions/subid/resourceGroups/testrg/providers/Microsoft.Network/connections/test-vpn-connection",
      "etag": "W/\\\"00000000-0000-0000-0000-000000000000\\\"",
      "type": "Microsoft.Network/connections",
      "location": "eastus",
      "properties": {
        "provisioningState": "Succeeded",
        "resourceGuid": "00000000-0000-0000-0000-000000000000",
        "virtualNetworkGateway1": {
          "id":
"/subscriptions/subid/resourceGroups/testrg/providers/Microsoft.Network/virtualNetworkGateways/test-vpn-gateway-1"
        },
        "virtualNetworkGateway2": {
          "id":
"/subscriptions/subid/resourceGroups/testrg-2/providers/Microsoft.Network/virtualNetworkGateways/test-vpn-gateway-2"
        },
        "connectionType": "Vnet2Vnet",
        "routingWeight": 22,
        "enableBgp": true,
        "usePolicyBasedTrafficSelectors": false,
        "ipsecPolicies": [],
        "trafficSelectorPolicies": [],
        "ingressBytesTransferred": 0,
        "egressBytesTransferred": 0
      }
    }
  ]
}

If a gateway returns no value, then it has no connections and you can move to delete it.

Deleting Unused Azure Virtual Network Gateways

Once you have identified any virtual network gateways that have no connections, or ones that you know you want to remove, next you need to delete them. Here are the steps:

Using the Azure Portal

1. Go to the virtual network gateway.

• In the Azure Portal, go to All resources.
• Click to select the virtual network gateway page.

2. Delete any connections.

• Once on the page, click Connections to display all connections to the gateway. If the gateway has no connections, you can skip to Step 3.
• Click "..." on the connection name row and select Delete from the shown dropdown list.
• Click Yes to confirm, and if you wish to delete multiple connections, do so one by one. Make sure that deleting connections will not impact necessary operations. 

3. Delete the virtual network gateway.

• On the virtual network gateway page, click Overview.
• On Overview, click Delete.
• This should delete all of your selected unused Azure virtual network gateways.

Using the Azure CLI

1. Disconnect existing connections.

If you identify that a gateway has connections, but is still no longer needed, you should first remove the connections before you delete the gateway. Make sure this will not disrupt any operations that you want to continue.

az network vnet-gateway disconnect-vpn-connections --vpn-connections
					[--ids]
					[--name]
					[--no-wait]
					[--resource-group]

2. Delete the virtual network gateway:

You can use the following command to delete a specific gateway:

az network vnet-gateway delete -g MyResourceGroup -n MyVnetGateway

Follow these steps for each gateway and you’ll be able to find and remove all unnecessary gateways.

Automate Checks for Unused Azure Gateways with Blink

By following the steps above, you can find and remove unused gateways, but it's a time-intensive process. Depending on your scale, the manual reviewing required with this approach might be unfeasible.

If you want to run this check for unused gateways regularly and at scale, you need automations to help make this task routine.

When you create a Blink account, you can schedule automated checks that alert you to any unused Azure virtual network gateways and other idle resources. Lower your cloud costs with simple no-code automations and actionable Slack notifications.

Get started and create your free Blink account today.