Q. How should I architect Userify for a secure VPC or LAN that is only accessible from our corporate network/VPN?
Set your webserverurl to a DNS-resolvable name that is accessible from your internal corporate network; for example: https://userify.internal.
This could also resolve to a public IP or EIP. This should be accessible from corporate users, since it is the URL provided in invitations, password resets, and notification emails.
Set your shiminstallerserver and shimconfigurationserver to the internal (private) IP (ie 172.x.x.x, or 10.x.x.x) or internally resolvable signed hostname (if you install signed certificates, your shims will be configured to check for the signed certificates).
This only needs to be accessible from your nodes (servers or instances). As long as corporate datacenter servers can access these internal network addresses, they can also be configured to utilize Userify as well as your cloud servers (and Userify is designed to keep serving logins for both cloud and corporate DC even if VPN connectivity is temporarily dropped.)
Ideally, co-locate Userify in your corporate datacenter next to your LDAP or AD server and do not expose LDAP (or other) ports even through a VPN. Treat your public cloud subnets as DMZs to your corporate zones and use Userify as an AD firewall, and only expose 443 on the Userify server to the public cloud. Optionally, using web server routing rules, block access to all Userify URLs except server configuration URLs (ie /api/userify/configure) Ideally, set your shim_delay to no more than 15 seconds to enable rapid updates.
Configure your loghost to be a hardened rsyslog server in the same datacenter/VPC and configure a log archiver that pulls logs from the loghost. (Important: don't push logs into your loghost or allow any access to the log archiver from the public cloud.)