Cisco Umbrella uses the IPSec protocol for tunneling traffic. This article describes the automatic failover mechanism to a secondary data centres and disaster recovery when the primary data centre is unavailable. This feature is available in all SIG data centres globally.
Automatic Failover and Secondary Tunnels
Data centres in each region are paired with each other for automatic failover, using hybrid anycast routing. For example, if an IPsec tunnel is connected to Los Angeles in US-1 region on 126.96.36.199, and then the Los Angeles data centre is taken out of rotation for any reason, the Santa Clara data centre(also in US-1) will automatically start accepting traffic on the Los Angeles' IP address (188.8.131.52), in addition to it's normal IP address (184.108.40.206). Additionally, should both data centres in a region be unavailable, the disaster recovery site (Dallas in this case) will automatically take traffic destined for either of those IP addresses.
Because of this mechanism, you can achieve high availability with just a single IPsec tunnel. Should you choose to create two tunnels, if they are in the same region, they must have different IPsec credentials. This is required to avoid two tunnels with the same set of credentials hitting the same data center when one data center is down. If the tunnels are in different regions, they should have different credentials to prevent issues in the rare case that all data centers in both regions are down and both tunnels are going to the disaster recovery data center.
For example, if you have one tunnel to Los Angeles, and a secondary tunnel to Santa Clara, and both are using the same IPsec credentials, if either data centre is unavailable, then because of hybrid anycast both tunnels will end up in the same data centre. This creates a problem because Umbrella data centres only allow one connection per IPsec credentials in a data centre.