Hi @PatrickH1,

Firstly, my answers are my opinion, and may not reflect the "official" Cisco approach, and there may be much better answers out there than mine (so I encourage others to chip in).

When should I use different AEPs?

A: This is a question I would ask to see if someone understood the whole Access Policy Chain concept. But if you look at what an Interface Policy Group does, you'll see a fairly simple concept of collecting a set of statndard interface policies (CDP, LLDP etc) and putting them in a named group.  But the bit that is missing from that group is the set of VLANs allowed - or more precisely, the set of Encapsulations allowed, given that there may be VLANs and VXLANs. And of course these sets of encapsulations are kept in Encapsulation Domains which are linked to either a VLAN Pool or a VXLAN Pool - except Cisco didn't call them Encapsulation Domans, but rather Physical Domains, VMM Domains etc. 

So what is needed is an entity that gives me a list (ie a Profile) of Encapsulation Domains that tell the Interface Policy Group what VLANs/VXLANs are to be included in this interface profile.

So Cisco invented the Encapsulation Domain Profile to do just that - except instead of calling it an Encapulsaton Domain Profile (which I thnk is relatively easy to understand), they called it an Attachable Access Entity Profile (which still is beyond my comprehension) or various variations thereof. 

So if an AAEP is a collection of VLAN/VXLANs, the act of linking an Interface Profile to an AAEP makes it possible for whatever Interfaces are linked to the Interface Policy Group to accept traffic on those VLANs/VXLANs.

Think of the AAEP as a place where Encapsulations (VLANX/VXLANs) get together with interfaces and have a party. The only VLANs a given interface can dance with are the ones at the party. I have referred to this concept in the past as an Attachable Access Entity Party. Google it.

In which case should I connect a Firewall/Loadbalancer with L3OUT or L4/7 Serivcegraph?

A: I'm going to pass on this one for now to allow someone with more patience to explain. For me, I'd just say to use a L3Out if you want to keep your sanity. [This is NOT the official Cisco answer]

Which advantages do I have with L4/7 Serivcegraph unmanaged?

A: Using a Managed Service graph means you configure the L4/7 device within ACI. This is not a pretty prospect, but has the advantage of potentially re-configuring say your load balancer, when a change occurs.  An example might be that when a new server is added to the EPG, the managed Load Balancer is reconfigured to add that server to the Servel Pool.

Unmanaged means you have to configure you Firewall/Load Balancer using the tools you already use to manage the device. And gives you a better chance of keeping your sanity.

Is there any other way to add static ports to an EPG other than under EPG -> Static Port?

A: Yes. And it pushes your understanding of the AAEP as well.  Instead of defining Static Mappings under the EPG, instead go to Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles In the Work Pane, you will see a secton called Application EPGs. Click the [+] icon to add an EPG/Vlan ID and as a result, every port in this Access Policy Chain is now configured to classify any traffic arriving with that VLAN tag into the EPG.  All you have to do in the EPG config is to make sure the EPG is linked to a Physical Domain that contains VLAN ID that was used in the mapping.

From my experience, this is the method preferred by Cisco Advanced Services whenever they do a Network Centric Install. I often wonder why this method is not included in the Cisco training courses.  

I hope this helps.

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem.