Hi ndmuser,
You can solve this by many approaches.
1. The first approach is to use two separate VLAN's for this. Say internal campus network portgroup with VLAN 20 and external VLAN (DMZ) is 30.
So a DB would have a single NIC with connecting to portgroup with VLAN 20 and APP VM has two NIC one connected to Internal Campus Network and another to DMZ
VLAN.
This is the easiest way.
2. Second way is to use the internal PVLAN feature of vDS. For details check the below link
Page 54
Saying the above there is no limitation in doing the vMotion between the hosts. You need to have underlying physical NIC's of the host server in TRUNK port so that all the VLAN data would flow through the NIC and you would implement VLAN tagging at the vDS/vSS level.
Please let me know if you need more information or clarification