NSX is very flexible.

So you could do:

     External

        |

      Edge

       / \

  LS-Web LS-App

The Edge will do L3 (routing) + Routing + FW

Pros:

  . Most likely very similar to what you have been doing for years in the physical world

  . No need for SNAT (Edge LB configured in Transparent mode under Pools)

Cons:

  . Don't benefits the unique NSX features like Distributed L3

You could also do:

     External

        |

      Edge1 (optional)

        |

     DistL3

       / \

  LS-Web LS-App

    |       |

  Edge2   Edge3

Edge1 (optional): will be there is you want services like NAT, VPN, and if all your ESXi do not have all a physical NIC connected to external.

Edge2: will be there to do LB of the Web servers (with SNAT)

Edge3: will be there to do LB of the App servers (with SNAT)

Note: Edge2 + Edge3 could be combined to limit the # of Edges

Pros:

  . Enjoy Dist-L3 for direct communication from Web-Servers to App-Servers

  . Security between LS-Web and LS-App is offered via Dist-FW

Cons:

  . require SNAT (Edge LB configured not in Transparent mode under Pools)

There is more information on LB in the NSX Design Guide here.

Dimitri

To have the simplest design and easy management. I would design the load balancing as below.

4 VM in the same logical switch. (use distributed firewall for protection and logical router for L3 routing)

1 ESG with one vnic. (one arm mode) simplify routing table for your 4 VM. Because your VM default gateway will point to the logical router instead of the ESG.

In ESG load balancing pass though mode (2 vnic ESG), your VM will have 2 gateways, logical router and ESG. So you might end up have 2 vnic for your VM and you have to configure static route for the VM.