We need to enable VPC Flow logs in our GCP environment. There are around 100 projects and most of services are using SharedVPC . Each SharedVPC has around three subnets and services in many projects are still running under Default VPC Because there is a cost associated with VPC Flow logs like storage costs and Data access Audit Logs . So our plan is not to enable Flow logs only on subnets which are Internet facing . But there is nothing like private/public subnet in `GCP'.
One option we are thinking is like identifying the subnets of GCP services which are exposed to Internet or using Public IP like Google Load Balancer , VM instances with Public IP , GKE LB and Ingress , Cloud SQL instances with Public IP etc and enable VPC Flow Logs on these subnets . But we have to browse through all the projects to identify the subnets for these services which are exposed using Public IP. Does this makes sense ?
There is also options like increasing the Aggregation internal and sample rate to decrease the cost associated with VPC flow logs but I am looking
for guidelines and best practices available to identify subnets for enabling VCP flowlogs.