Scott,
In a two-node cluster, the PUB is not performing much cluster-related wok so you can send 50/50 of your traffic to each node. If you have AOS you can utilize built in load-balancing to load balance the authN requests from the NAD's. Other vendors do sometime support primitive load-balancing else you need to configure 50% of your NAD's to point to the SUB with a fail-through to the PUB and the remaining 50% the other way round.
At this time it was recently discovered that the PUB fail-over for an AWS deployment is not working, we've triaged the issue and have discovered the fault, planning on getting a fix released soon.