Active Active Advanced WAF behind Azure LB Best Practice

On a green field, I'd probably use the F5 DNS Load Balancer Cloud Service to load balance between two AdvWAF load balancers.

For the case of single NIC or n-NIC deployments, I'd suggest to use a single NIC deployment and to use a LTM Traffic Policy that will assign a Security Policy, Pool and whateverelse based on the Host Header value. Or for more granularity on Host Header and URI.

For SSL profiles you should use SNI.

Important question to solve is - how do you keep the config in sync?

I'd not bother users with learning multiple ports for multiple web apps. That's torture.

And I strongly recommend against using F5 Cloud Failover Extension. In my opinion there is no good reason to run an expensive instance in Azure or AWS in standby. That stuff is expensive, hence it should be active.