@BenjiReis HA is automatically disabled by the RPU when it starts, then enabled at the end. - I see the task for that in the task log. We do have about 5 VMs that do not have HA enabled, but they are very small (~4GB each) so should not make any difference regardless of which hosts they were on. Also all VMs successfully evacuate from the host for the updates, its only when VMs are migrated back after all hosts are upgraded that I see a problem. I've raised a support ticket, if anything relevant comes out of it I'll try and report back here for future readers. Thanks for the suggestions, Neal.

The best way would be to use XO Proxies as "Reverse HTTP proxies" (or any reverse proxy in each DC) and then tell XO to connect to those proxies. This way, each DC will have only one entry point exposed to the outside, and you could manage that with your central XO. This is a subject we planned to work in the next months. If you have a support subscription, please open a ticket so we can do initial test inside your infrastructure

Indeed, XO doc was built for XenServer (before XCP-ng existed). @Darkbeldin will update this accordingly