Hello, Thanks for using Support Forums. I will attempt to answer your questions
1.) Can I make policies like this , vm of this xx name from EPG1 can talk to VM of EPG2 with yy name with certain security tags .
--dpita: Yes this is possible. at this point in time you need to use the AVS switch instead of the DVS built in to vCenter. This feature is called micro segmentation. Please see this article for more information
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_1x/b_ACI_Virtualization_Guide_1_2_1x_chapter_01000.html
2.) Can i deny communication within single EPG.
--dpita: Yes this is possible. This feature works with the DVS right now. its called Intra-EPG isolation. Please see this article for more information.
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_010001.html#id_13260
Regarding your third question on DR and multi-site, i did a quick google search and found a white paper from WWT. I recommend you speak with your account manager to get in touch with Cisco AS for help with that design.
Hope that helps. Have a nice day