What is the general best practice for subnetting a small (abt 15 servers) network of vms and physical machines?
How granular should it be? Do you want to have a logical subnet or vlan for every seperate function in the network?
What is generally the guideline here?
I should add also that this is a small network with the sole purpose of hosting public facing web sites and applications for a small business. There will not be any other external users other than those from the internet.
The best solution is probably private vlan, which allows your servers to communicate with a common uplink, but not with each other. This reduces configuration overhead, yet makes lateral movement by attackers a lot more difficult.
There is no "best practice." How you segregate devices depends on your security needs (assets, risks, vulnerabilities, etc.) and how the devices communicate with each other. Every system is different, and it's impossible for us to decide for you.
That being said, generally if you want to restrict traffic between devices or systems, it's easier if they're in separate subnets (VLANs). Then you can restrict access between the subnets.
Bear in mind that VLANs alone provide NO security. You need to apply access control lists (or other types of filtering) to the VLAN interfaces that will enforce whatever security policy you want.