well, maybe spoke too soon as I see nothing coming from enabling the business services to TRACE and setting:

Set tSC = ..%sshSession.SetTraceMask(64,"/tmp/sftp-trace.log")
Set tSC = ..%sshSession.SetTraceMask(256,"/tmp/sftp-keys.log")

still not seeing any tracing at this point.

This is great Mark, excellent write up.

Ran into a similar problem a couple of years ago on AWS with the mirror VIP, had a less sophisiticated solution with a custom business service on a target production/namespace listening for a keep alive socket the ELB to detect which Mirror Member was active.... re-used it for an auto-scaling group too for an indicator for availability we could put logic behind.   Those links up there to the routines appears broke for me, would love to take a look at that magic.

What's Azure's VPN for solution look like for site 2 site connections?   The diagrams above maybe suggest this is possibly bolted to on-prem, but just curious if you had any comments to that with Azure.

Did you provision a DNS Zone on a legible domain for internal communications?  I abused a couple of *.info domains for this purpose and found that the hostnames enumerated from Cache were from the Instances and not very usable for interhost communication and broke things like Enterprise Manager, HS Endpoint Enumeration, etc.

Does Azure have an Internet Gateway or a NAT solution to provide communication outbound from a single address (or fault tolerance) ?  The diagram for Web Server Load Balancing looks like they work for both inbound and outbound just wondered if that was the case.

Again, excellent resource, thanks for taking the time.