A quick update, I found a Cisco doc that says that the ASAv in Azure can be deployed in a HA active/passive pair.
- WatchGuard Firebox Cloud: single node only
- Cisco ASAv: active/passive
- Check Point CloudGuard: active/passive
- Barracuda CloudGen Firewall: active/passive
- Palo Alto VM-Series: active/active
The Cisco docs are quite incomplete. A pair of NVAs, each with 4 NICs in 4 subnets, are deployed. But no load balancers to unify the flows are deployed. Instead, Cisco wants to automate the editing of route tables from the appliance – over my dead body! 3 commands per route table, 1 route table per subnet, many subnets … and the Cisco NVAs do not sync their configuration so you have to two it twice … identically.