PowerSync Cloud: AWS Private Endpoints

To avoid exposing a database in AWS to the public internet, AWS Private Endpoints (AWS PrivateLink) are an option that provides private networking between the source database and the PowerSync Service. Private Endpoints are currently available on our Team and Enterprise plans.

We use Private Endpoints instead of VPC peering, to ensure that no other resources are exposed between the VPCs.

Do not rely on Private Endpoints as the only form of security. Always use strong database passwords, and use client certificates if additional security is required.

Current Limitations

  1. Private Endpoints are currently only supported for Postgres and MongoDB instances. Contact us if you need this for MySQL.
  2. Self-service is not yet available on the PowerSync side - contact PowerSync support to configure the instance.
  3. Only AWS is supported currently, other cloud providers are not supported yet.
  4. “Test Connection” on the PowerSync Dashboard is not supported yet - the instance has to be deployed to test the connection.

Concepts

  • AWS PrivateLink is the overarching feature on AWS.

  • VPC/Private Endpoint Service is the service that exposes the database, and lives in the same VPC as the source database. It provides a one-way connection to the database without exposing other resources in the VPC.

    • Endpoint Service Name is a unique identifier for this Endpoint Service.
    • Each Endpoint Service may have multiple Private Endpoints in different VPCs.
  • VPC/Private Endpoint is the endpoint in the PowerSync VPC. This is what the PowerSync instance connects to.

For custom Endpoint Services for Postgres:

  • Network Load Balancer (NLB) is a load balancer that exposes the source database to the Endpoint Service.
    • Target Group specifies the IPs and ports for the Network Load Balancer to expose.
    • Listener for the Network Load Balancer is what describes the incoming port on the Network Load Balancer (the port that the PowerSync instance connects to).

Private Endpoint Setup

AWS Regions

PowerSync currently runs in the AWS regions below. Make sure the region matching your PowerSync instance is supported in by the Endpoint Service.

  1. US: us-east-1
  2. EU: eu-west-1
  3. BR: sa-east-1
  4. JP: ap-northeast-1
  5. AU: ap-southeast-2