Why do you create a separate post? You could have asked 2 questions in one post if it was about the same topic (NSX Firewalling).
I can only give the same answer as in your other post:
This depends on the use case and network design. If an Edge Gateway or DLR is in between, you can create IP based rules or you can work with the Distributed Firewall and Security Policies and Tags. But without knowing your network design and structure, I can't give a more accurate answer.
---
Regards,
Sebastian
VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist
Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.