ESG is not required.  DLR can perform north-south routing.  See the explanation of deployment scenarios here:  NSX DLR – ChansBlog

Interesting, I just heard directly from Scott Lowe that although DLR can handle N/S, it isn't recommend due to it's inability to handle the encapsulation needed for the NSX, and that ESG will have to handle that in order for NSX to function properly. I have personally never seen any NSX design that bypassed ESG all together for any purpose so I believe this link is a bit misleading.

The use of strictly the DLR to handle north-south traffic is not ideal due to the fact that the Designated Interface, which is specific to one host, is the only way for physical traffic to re-enter the VXLAN network.  While the ESG is recommended, it is NOT required.

If ESG provides the only way of allowing physical traffic to enter the VXLAN network, how would using DLR only still allow proper N/S traffic to the NSX infrastructure? I honestly cannot imagine any scenario where someone would want to NOT use ESG (unless they just wanted E/W traffic and no N/S), which is a crucial component of NSX regardless of whether someone wants to use ESG firewall or not. I would appreciate it if you can elaborate any scenario/reason where ESG could be completely bypassed and still have a fully functional NSX environment.

A logical router uplink interface might connect to an NSX edge services gateway, a 3rd-party router VM for that, or a VLAN-backed dvPortgroup to make the logical router connect to a physical router directly.

Page 62 of the NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

Might be a typo, but there are no related information on page 62 of the administration guide.

So we know using ESG will allow proper N/S into the VXLAN network, but you are saying by connecting DLR to a VLAN backed dvPortGroup, it will accomplish the same network connectivity from physical to NSX infrastructure? Also, you still have not mentioned any situation where it will be optimal to bypass the ESG altogether, it might not be REQUIRED, but would there be any benefit of doing so?

Yup, wrong page.  On Page 59 is written the following statement:  Uplink interfaces are for North-South communication. A logical router uplink interface might connect to an NSX edge services gateway, a 3rd-party router VM for that, or a VLAN-backed dvPortgroup to make the logical router connect to a physical router directly.

I am not saying that the DLR has the same capabilities as the ESG.  I'm saying that, if an NSX customer wants to connect the DLR to a VLAN-backed dvPortGroup to provide north-south communication to/from the VXLAN environment, that is an option they can choose.  Doing so has limitations, but it is an option available. 

A possible use case might be if the NSX customer wants to use a 3rd party router VM (or possibly a firewall VM like in the original post) instead of the ESG.  Maybe this 3rd party router plays better with their existing network infrastructure, or supports features not available with the ESG. 

Another example might be if you have single ESXi hosts at remote sites and want to leverage the distributed firewall to restrict traffic on that host for say a video recording application, but do not want to commit host resources to the deployment an ESG or two because you do not need the services that it provides.

Many customers have very unique business requirements.  While it is important to make recommendations based on best practice, it is also important to accurately articulate the true requirements of the product.

I absolutely agree that clients have different solutions for their infrastructure, but in OP's case (well for any case for that matter), losing all the capabilities that ESG offers seem like too much of a waste, especially when it can still be used easily with OP's Palo Alto physical firewall solution while retaining all the ESG services. I should've been more clear from the start, while ESG definitely is NOT required as you stated, I believe it is HIGHLY recommended to utilize it for any NSX infrastructure.  

Use of DLR with vlan-backed port group for N/S traffic will lead to the N/S vlan having to be plumbed to all hosts, including the compute hosts. Use of ESG limits the trunking of the external vlan (and hence vlan-based flooding) to the Edge Cluster. This may or may not be a concern depending on your architecture.

Thanks all for this great input.  Some more background here:

• A Palo Alto Physical Firewall is in place as mentioned
• Palo Alto has some great features in its PAN OS virtual appliance that we would like to implement with North South Traffic for multiple tenants.  Things like Application ID based rules and the whole suite of features in Pan OS. 
• The physical Palo Alto has limits in terms of how much traffic and processing can happen there.  If we can move some of that processing onto virtual appliances and make it specific to certain tenants, that eases the choke-point on the physical firewall and distributes it to the virtual appliances, and the solution can scale much more easily than adding / replacing physical appliances.
• If we add a Palo Alto virtual appliance, then we have a number of stops on the communication path already: for example for traffic coming in - > 1.  The Palo Alto Physical Appliance (on the perimiter), -> 2.  The Palo Alto virtual appliance (specific to each tenant) - 3. The tenant environment.

I would like to retain the feature set available in PanOS while reducing the complexity of the deployment of the solution for each new tenant, reduce of the number of devices / VMs required in the communication path, require the fewest points of management.  If every required service  that ESG gateway offers  could be done by a Palo Alto VM Series firewall, and there is nothing ESG does that a Palo Alto VM Series firewall can't do (is there?), then does it make sense to use both ESG and the Palo Alto VM Series Firewall?

OK thanks again for all the input