N-S traffic is the one that will enter thru the EDGES, in terms of rules you need to verify if you are using a deny to all other traffic this depends on your approach so to make it simple VM1 ->VM2 will have a rule of deny/allow traffic on DFW but if this VM1 needs to reach something outside the overlay if this is the case or the vSphere environment (scope of the DFW) then you will have a DFW rule as well, also check that EDGES doe not have any FW active.
my 2 cents .