• All VMs on some NSX segments are unable to communicate with anything outside of NSX. 
• Affected VMs can communicate with VMs on other NSX segments, validating East/West communication is working within NSX. 
• Putting affected VMs in the DFW Exclusion List does not change the behavior. 
• Traceflow to 8.8.8.8 (or any other IP outside of the VMware NSX environment) will result in not dropped and not delivered. 

• VMware NSX
• VMware vSphere ESXi

There is a firewall appliance North of the NSX Tier 0 interface(s) that is dropping traffic. 

Investigate the physical network North of the NSX T0 to determine where traffic to affected VMs is being dropped. 

There can be multiple firewalls in place between on-Prem and Cloud environments (ie. Microsoft AVS).