Overview
Active Directory runs on a single domain controller inside your Google Cloud VPC on a private IP.
Imper.ai requires secure, encrypted connectivity to the domain controller in order to perform directory verification and identity validation operations.
This document describes the secure connectivity model used to establish that integration while maintaining strict network boundaries and minimizing exposure.
The design is based on the following principles:
Connectivity is restricted to a single, defined directory endpoint
Communication is limited to encrypted LDAP transport only
No general network access into the VPC is introduced
No access is provided to other systems or connected networks
All directory activity remains auditable within the domain controller
The integration leverages Google Cloud VPC peering to establish private connectivity between environments while enforcing routing, firewall, and encryption controls.
This approach ensures that the integration is secure, narrowly scoped, and aligned with enterprise network security best practices.
What This Integration Does
Imper.ai connects securely to:
A single domain controller
A single private IP address
A single LDAP transport (LDAPS or LDAP with StartTLS)
It does not provide:
General access to your VPC
Access to other internal systems
Access to additional networks connected to your VPC
Architecture
A dedicated VPC peering connection is established between:
Your Google Cloud VPC (hosting the domain controller), and
An isolated Imper.ai Google Cloud VPC created specifically for this integration
All communication occurs over Google Cloud’s private network.
No traffic traverses the public internet.
Network Restrictions
To ensure strict access control, connectivity is limited as follows:
Allowed Destination
Domain controller private IP only
Allowed Port (choose one)
LDAPS — TCP 636 (recommended), or
LDAP with StartTLS — TCP 389
No other internal IP addresses inside your VPC are reachable from Imper.ai.
No other ports are accessible.
Routing Controls
The VPC peering configuration must ensure:
The Imper.ai VPC can only route to the domain controller’s private IP
No additional subnets or network prefixes are reachable
No transit routing into other networks connected to your VPC
If your VPC has connectivity to other environments (for example, on-premises or additional cloud networks), those networks will not be accessible through this integration.
Firewall Configuration
Your firewall policy should allow:
Source: Imper.ai peered VPC
Destination: Domain controller private IP
Port: TCP 636 or TCP 389
All other inbound traffic from the peered Imper.ai network must remain denied.
DNS and addressing
If Imper.ai connects using the domain controller’s private IP address:
No cross-network DNS configuration is required.
If Imper.ai connects using a hostname:
Private DNS resolution must be available from the peered network.
Encryption and Certificate Validation
All directory communication is encrypted.
If using LDAPS (TCP 636)
The domain controller presents a valid TLS certificate
Imper.ai validates the certificate chain
If using LDAP with StartTLS (TCP 389)
TLS is negotiated after connection
Certificate validity and chain validation are enforced
Certificate validation ensures protection against man-in-the-middle attacks.
Security and Audit
All directory changes remain fully logged in your domain controller security logs
Network access is restricted by firewall and routing policies
No standing administrative access is granted to Imper.ai
Your domain controller remains the authoritative audit source for any activity performed through this integration.
Why This Design Is Secure
This architecture ensures:
Single-system exposure
Single-port exposure
Encrypted communication only
No lateral network access
No public internet exposure
Full auditability