Skip to main content

PowerSync Cloud: AWS Private Endpoints

To avoid exposing a database in AWS to the public internet, using AWS Private Endpoints (AWS PrivateLink) is an option that provides private networking between the source database and the PowerSync Service. Private Endpoints are currently available on our Team and Enterprise plans. We use Private Endpoints instead of VPC peering to ensure that no other resources are exposed between the VPCs.
Do not rely on Private Endpoints as the only form of security. Always use strong database passwords, and use client certificates if additional security is required.

Current Limitations

  1. Private Endpoints are currently only supported for Postgres and MongoDB instances. Contact us if you need this for MySQL.
  2. Self-service is not yet available on the PowerSync side — contact PowerSync support to configure the instance.
  3. Only AWS is supported currently — other cloud providers are not supported yet.
  4. The “Test Connection” function on the PowerSync Dashboard is not supported yet - the instance has to be deployed to test the connection.

Concepts

  • AWS PrivateLink is the overarching feature on AWS.
  • VPC/Private Endpoint Service is the service that exposes the database, and lives in the same VPC as the source database. It provides a one-way connection to the database without exposing other resources in the VPC.
    • Endpoint Service Name is a unique identifier for this Endpoint Service.
    • Each Endpoint Service may have multiple Private Endpoints in different VPCs.
  • VPC/Private Endpoint is the endpoint in the PowerSync VPC. This is what the PowerSync instance connects to.
For custom Endpoint Services for Postgres:
  • Network Load Balancer (NLB) is a load balancer that exposes the source database to the Endpoint Service.
    • Target Group specifies the IPs and ports for the Network Load Balancer to expose.
    • Listener for the Network Load Balancer is what describes the incoming port on the Network Load Balancer (the port that the PowerSync instance connects to).

Private Endpoint Setup

To configure a Private Endpoint Service, a network load balancer is required to forward traffic to the database.This can be used with a Postgres database running on an EC2 instance, or an RDS instance.For AWS RDS, the guide below does not handle dynamic IPs if the RDS instance’s IP changes. This needs additional work to automatically update the IP - see this AWS blog post on the topic. This is specifically relevant if using an RDS cluster with failover support.Use the following steps to configure the Endpoint Service:

1. Create a Target Group

  1. Obtain the RDS Instance’s private IP address. Make sure this points to a writable instance.
  2. Create a Target Group with IP addresses as target type, using the IP address from above. Use TCP protocol, and specify the database port (typically 5432 for Postgres).
  3. Note: The IP address of your RDS instance may change over time. To maintain a consistent connection, consider implementing automation to monitor and update the target group’s IP address as needed. See the AWS blog post on the topic.

2. Create a Network Load Balancer (NLB)

  1. Select the same VPC as your RDS instance.
  2. Choose at least two subnets in different availability zones.
  3. Configure a TCP listener and pick a port (for example 5432 again).
  4. Associate the listener with the target group created earlier.

3. Modify the Security Group

  1. Modify the security group associated with your RDS instance to permit traffic from the load balancer IP range.

4. Create a VPC Endpoint Service

  1. In the AWS Management Console, navigate to the VPC service and select Endpoint Services.
  2. Click on “Create Endpoint Service”.
  3. Select the Network Load Balancer created in the previous step.
  4. If the load balancer is in one of the PowerSync regions (see below), it is not required to select any “Supported Region”. If the load balancer is in a different region, select the region corresponding to your PowerSync instance here. Note that this will incur additional AWS charges for the cross-region support.
  5. Decide whether to require acceptance for endpoint connections. Disabling acceptance can simplify the process but may reduce control over connections.
  6. Under “Supported IP address types”, select both IPv4 and IPv6.
  7. After creating the endpoint service, note the Service Name. This identifier will be used when configuring PowerSync to connect via PrivateLink.
  8. Configure the Endpoint Service to accept connections from the principal arn:aws:iam::131569880293:root. See the AWS documentation for details.

5. PowerSync Setup

On PowerSync, create a new instance, but do not configure the connection yet.Contact us and provide the Service Name from above, as well as the PowerSync instance ID created above. We will then configure the instance to use the Endpoint Service for the database connection.

6. Deploy

Once the Private Endpoint has been created on the PowerSync side, it will be visible in the instance settings under the connection details, as “VPC Endpoint Hostname”.Verify the connection details, and deploy the instance. Monitor the logs to ensure the instance can connect after deploying.

AWS Regions

PowerSync currently runs in the AWS regions below. Make sure the region matching your PowerSync instance is supported in by the Endpoint Service.
  1. US: us-east-1
  2. EU: eu-west-1
  3. BR: sa-east-1
  4. JP: ap-northeast-1
  5. AU: ap-southeast-2
I