Floating IP attach/detachment issues in Azure HA environment after shutting down the primary and secondary unit

VM-Series supports Active/Passive High-Availability (HA) on Azure. The HA solution is based on a Floating IP address that moves from one peer to the other. Because you cannot move the IP address associated with the primary interface of the PA-VM on Azure, you need to assign a Secondary IP address that can function as a Floating IP address.  

The Floating IP can remain attached to a shutdown instance and does not transition to the peer instance once it is powered on.

As an example, this can happen in the following two scenarios:
Case 1: New Deployment

• State 1: Both Firewalls in Shutdown State, Floating IP exists on FW2.

    FW1 Shutdown

    FW2 Shutdown-Floating IP

• State 2 : FW1 instance powered on first and becomes Active, however the Floating IP continues to exist on FW2.

    FW1 Active

    FW2 Shutdown-Floating IP

Case 2: Existing Deployment.

•   State 1 : Both Firewall instances are up and running with Floating IP associated with FW1 (currently Active)

    FW1 Active Floating IP

    FW2 Passive

•  State 2 : FW1 is shutdown and Floating IP moves successfully to the current Active instance, i.e FW2.

    FW1 Shutdown

    FW2 Active-Floating IP

• State 3 : FW2 instance is shutdown with Floating IP on it.

    FW1 Shutdown

    FW2 Shutdown-Floating IP

• State 4: FW1 is powered on, it becomes Active but Floating IP continues to exist on FW2 which is in Shutdown state.

  FW1 Active

  FW2 Shutdown-Floating IP

The detachment and attachment of the Secondary IP address is always triggered by the instance that changes from state Passive to Active. Therefore prior to the failover, the new Active instance needs to know where the Floating IP is attached to. The new Active instance always assumes that the Floating IP is attached to the old Active instance and sends a Detach/Attach message to the Azure management API Server for all Secondary IP's associated with network interfaces of the old Active instance.

During a new deployment always create the Floating IP on the instance that will boot first. Both instances have to boot and discover each other first before the Floating IP can be moved to the Active instance.

To avoid ending up with the Floating IP being attached to the wrong instance in new deployments or if all instances are down, always first start the instance that currently has the Floating IP attached or start both the instances at the same time.