How to identify and locate unused Azure resources

Why find unused Azure resources

If there were no negative implications associated with unused cloud resources, their existence and how to handle them would likely go unnoticed. In simpler terms, when searching for such resources in your cloud environment, you typically have a particular objective in mind. These objectives may include:

• Saving on resource costs (cost optimization)

• Reducing the potential attack surface on your infrastructure (security hardening)

• Minimizing management overhead linked to supporting resources (operational excellence)

• Scaling down overprovisioned resources (cost optimization)

• Eliminating ambiguity during application deployment or updates to avoid incorrect resource usage (error reduction), among others.

Identifying your primary intentions for this search will enable you to approach the question from the appropriate perspective. Why am I emphasizing this? Because the answer to the question of unused resources relies on your understanding of it. Let me illustrate this with an example.

Have you ever wondered why unused resources exist in the cloud? Large enterprises may run hundreds of applications and possess thousands of infrastructure components. Infrastructure changes occur frequently: applications are updated, new services are deployed, some are decommissioned, internal processes change, reorganizations take place, and so on. Changes in one area may not be properly coordinated with others, resulting in gaps within existing processes and leading to misconfigurations. The number of these misconfigurations, including unused resources, could amount to hundreds or thousands of individual cloud services. However, the time and resources available for processing such vast amounts of data are usually limited. Therefore, it makes perfect sense to focus on the most crucial aspects. Identifying and prioritizing the primary cost drivers will optimize your cloud costs. If your main concern is security, you will likely prioritize addressing the most critical security issues caused by unused resources (for example, an Azure VM with a public IP and open management ports poses a greater threat to your environment than an empty resource group or unattached disk).

Now that you understand the specific issues you aim to tackle by identifying "unused" resources in your Azure environment, it is time to proceed with the assessment.

Now, let's delve into a few initial tools that can assist you in identifying unused resources.

The Azure Orphan Resources Workbook is an excellent solution for promptly evaluating your Azure subscriptions for any unused resources. Behind the scenes, this workbook leverages Azure Resource Graph queries to retrieve data regarding the resources within the specified scope. It offers a reliable foundation for conducting further investigations and serves as a valuable tool when analyzing a new environment, enabling you to pinpoint the most critical areas that require attention.

Continuous Cloud Optimization Insights is a Power BI-based solution that consolidates data from various Azure services to generate more informative reports on different aspects of your cloud environments. Instead of solely focusing on tracking unused resources, this solution enables you to aggregate recommendations from multiple systems such as Azure Advisor, Microsoft Defender for Cloud, Azure Monitor, and more. As a result, it provides you with more valuable insights into actual resource usage.

While Azure Advisor may not possess the same level of capability in generating recommendations specifically for unused resources as dedicated tools, it can still provide you with a list of primary sources of cloud waste and recommendations for addressing them. This is particularly applicable to underutilized resource capacity and potential security risks. Azure Advisor is available for free within the Azure portal and does not require any additional configuration. Its recommendations are structured into distinct categories that align with your specific search objectives.

Azure Resource Graph is a versatile tool designed for in-depth analysis of Azure resource configurations. By utilizing Kusto Query Language (KQL) queries, you can efficiently identify unattached disks, network security groups (NSGs) not linked to any network or interface, and more. While the Azure Orphan Resources Workbook offers a comprehensive overview, the Resource Graph empowers you to delve into specific details and fine-tune your search parameters. It provides a deeper level of exploration and customization to enhance your analysis.

Azure Monitor may not be the first tool that comes to mind when considering the exploration of unused resources, but it is undoubtedly the primary resource for analyzing Azure resource utilization. While Azure resource configuration alone may not provide definitive insights into whether a resource is actively used or not, you can draw certain assumptions based on resource metrics. For instance, you can examine the number of requests served by an App Service, assess resource utilization within a specific App Service plan, or track the read-and-write operations performed on a Storage account over a specific time period. When you observe low resource usage, it is advisable to include such resources in your analysis list to verify their actual usage and relevance. Azure Monitor offers valuable metrics to aid in the identification of potentially unused resources and confirms their viability.

Nevertheless, relying solely on these tools for analyzing your infrastructure for unused resources is a reactive approach. The question remains: what proactive measures can be taken to prevent or, more importantly, minimize the waste of cloud resources?

To address the prevention of cloud resource waste, it is crucial to understand why it occurs in the first place.

One primary reason for cloud resource waste is the lack of lifecycle management for these resources, similar to Application Lifecycle Management (ALM). This is often associated with the absence or underperformance of a Configuration Management Database (CMDB) for cloud resources. Without a CMDB, it becomes challenging to identify resource owners, their associated applications or services, and whether they are still in use. Establishing a well-maintained CMDB for Azure resources is essential for maintaining a tidy and efficient infrastructure.

Another significant factor contributing to waste is the absence of resource performance monitoring and well-defined resource capacity management processes. Without monitoring resource utilization and gaining insights into their usage patterns, informed decisions regarding scaling resources up or down based on current demand cannot be made. For example, a website running smoothly on a high-performance App Service Premium SKU may only utilize a fraction of the plan's capacity and could function just as effectively on a less powerful (and more cost-effective) App Service plan tier. The same principle applies to storage resources, where utilizing appropriate storage types (e.g., HDD instead of SSD) and matching storage tiers (Hot, Cool, Archive) to actual demand can lead to resource optimization. While autoscaling and consumption-based (serverless) resources partially address overprovisioning, it is crucial to intentionally configure cloud resources with these cloud-native patterns.

The third, less obvious reason for cloud waste is the absence of established security controls for cloud resources and the applications running on them. Although security and resource waste may not seem directly related, there is often a correlation between the security level of an environment and the amount of wasted resources within it. Regular security assessments often prompt actions to mitigate security threats, and reducing the number of resources can streamline this process. Security practices, such as periodic assessments and automatic scans for vulnerabilities, misconfigurations, unauthorized access, and data leaks, may serve as triggers for removing unnecessary resources deployed for testing purposes or other outdated reasons.

While it may be challenging to completely prevent cloud waste, minimizing its impact is a more feasible approach. It is recommended to focus on minimizing the negative effects of unused resources during the design and operation phases of managing cloud infrastructure. During the design phase, leverage cloud-native design patterns and prioritize solutions that support autoscaling and consumption-based pricing. In the operation of existing resources, various infrastructure support processes play a vital role. These include

• Configuration Management (CMDB),

• Monitoring (performance, events, infrastructure-specific, and application-tailored),

• Capacity management,

• Security/vulnerability scans.

Additionally, implementing practices such as Continuous Deployment, Infrastructure as Code, Disposable Environments, Immutable Infrastructure, and Application Performance Management can help minimize cloud waste and elevate the management of cloud resources. Before implementing prevention measures, it is crucial to clarify the definition of resource usefulness and conduct an assessment of the environment to identify the most significant gaps in effective resource utilization.