If starting to use NSX go for NSX-T, as NSX-V has an announced EOS.
If all you want is to isolate VMs the easiest way is to use the distributed firewall. It has no dependencies on overlay routing. DFW uses groups for rules which can have specific criteria, so you can essentially isolate VMs without even having to call an API. If you want to check something outside of NSX environment and act upon this I think the easiest way to isolate a VM would be to have a DFW rule that matches on VMs with a specific tag setup with the desired isolation. When you effectively want to isolate the VM just send an API call to tag the VM and the DFW rule will start acting. Remove the tag and you remove isolation.