You can do VRRP failover if there is no firewall between the AP and the VRRP (the controllers have public ip addresses as well as a VRRP addressed on them). It is preferable to point a RAP to a DNS a-record that has two ip addresses, that way the AP will either get both ip addresses and try one after the other, or the DNS round-robins and gives the RAP a different address for each request.