Your method can be slightly changed into something like below:
- Create Security Group for all VLAN-backed VMs e.g. SG-VLAN-VMs
- Create Security Group for all VXLAN-backed VMs e.g. SG-VXLAN-VMs
- For the VLAN-backed VMs, create a firewall rule to Allow Any to Any and Applied To SG-VLAN-VMs
- For any other rules, edit the default Applied To Distributed Firewall to SG-VXLAN-VMs. You can even create more small application group for applying the Apply To if you want.
Using Apply To will also help to reduce the DFW rules per VMware-sfw.
If you are using PowerCLI/PowerNSX, it would be quite easy to add VMs to exclusion list
Distributed Firewall operations
Get-VM <VM name> | Add-NsxFirewallExclusionListMember
If all the VXLAN-backed VMs inside a same folder, you can grab them in one line command and add to exclusion list, something like below:
Get-Folder "First Folder" | Get-Folder "Second Folder" | Get-VM | Add-NsxFirewallExclusionListMember