I have 3 appliances in my environment, the one caveat I have for you is 3 appliance minimum.

2 appliances load balanced to serve the end user community. The third appliance is the admin console.

When we first deployed and we had all 3 appliances in the app pool, end users had a 1 in 3 chance of seeing a third icon beyond password safe and secrets safe. I don’t remember now what it was and it wasn’t everyone but if they hit the admin appliance, they got the standard as well as any admin function they may need. Service account password rotations mostly.

Imagine giving users the ability to log into the admin portal to rotate a password for their service accounts. Now imagine them trying to hit the right appliance to do that or getting the change password option when they don’t want or need it.

I have uvm01 for reporting services, password changes, etc. using https://admin-vault and uvm02 and 03 behind a network load balancer using https://vault so that users who just want their passwords can use SAML.

Anyone with access to the admin portal must use TOTP and a password. everyone else uses SAML and username & password is disabled.

How do you setup Active Active DB across multi datacenter? 

Your DBA can assist with that. Microsoft provides what they call an Always On SQL deployment.