Skip to main content

PowerSync Cloud: IP Filtering

For enhanced security, you can restrict database access to PowerSync Cloud’s IP addresses. Below are the IP ranges for each region: 
50.19.5.255
34.193.39.149
18.234.18.91
18.233.128.219
34.202.251.156
Do not rely on IP filtering as a primary form of security. Always use strong database passwords, and use client certificates if additional security is required. Support for private endpoints is also available in certain scenarios (see below).

PowerSync Cloud: AWS Private Endpoints

See Private Endpoints for using a private network to your database using AWS PrivateLink (AWS only).

PowerSync Cloud: TLS with Postgres

PowerSync Cloud always enforces TLS on connections to the database, and certificate validation cannot be disabled. PowerSync supports TLS version 1.2 and 1.3. The Server Certificate is always validated. The following two SSL Modes are supported:
  1. verify-full - This verifies the certificate, and checks that the hostname matches. By default, we include CA certificates for AWS RDS, Azure and Supabase. Alternatively, CA certificates to trust can be explicitly specified (any number of certificates in PEM format).
  2. verify-ca - This verifies the certificate, but does not check the hostname. Because of this, public certificate authorities are not supported — an explicit CA must be specified. This mode can be used with self-signed certificates.
In some cases, hitting the Test Connection button when adding a source database connection in the PowerSync Dashboard will automatically retrieve the certificate for verify-ca mode. Once deployed, the current connections and TLS versions can be viewed using this query: 
select
  usename,
  ssl,
  version,
  client_addr,
  application_name,
  backend_type
from
  pg_stat_ssl
  join pg_stat_activity on pg_stat_ssl.pid = pg_stat_activity.pid
where
  ssl = true;

See Also