To avoid exposing a database in AWS to the public internet, using AWS Private Endpoints (AWS PrivateLink) is an option that provides private networking between the source database and the PowerSync Service. Private Endpoints are currently available on our Team and Enterprise plans.
We use Private Endpoints instead of VPC peering to ensure that no other resources are exposed between the VPCs.
Do not rely on Private Endpoints as the only form of security. Always use strong database passwords, and use client certificates if additional security is required.
AWS PrivateLink is the overarching feature on AWS.
VPC/Private Endpoint Service is the service that exposes the database, and lives in the same VPC as the source database. It provides a one-way connection to the database without exposing other resources in the VPC.
VPC/Private Endpoint is the endpoint in the PowerSync VPC. This is what the PowerSync instance connects to.
For custom Endpoint Services for Postgres:
AWS PrivateLink in MongoDB Atlas
MongoDB Atlas supports creating an Endpoint Service per project for AWS.
Limitations:
--service-name
option.The Service Name should look something like com.amazonaws.vpce.us-east-1.vpce-svc-0123456
.
Skip the final step of configuring the VPC Endpoint ID - this will be done later.
On PowerSync, create a new instance, but do not configure the connection yet. Copy the Instance ID.
Contact us and provide:
We will then configure the instance to use the Endpoint Service for the database connection, and provide you with a VPC Endpoint ID, in the form vpce-12346
.
On the Atlas Private Endpoint Configuration, in the final step, specify the VPC Endpoint ID from above. If you have already closed the dialog, go through the process of creating a Private Endpoint again. It should have the same Endpoint Service Name as before.
Check that the Endpoint Status changes to Available.
The connection string should look something like mongodb+srv://<db_username>:<db_password>@your-cluster-pl-0.abcde.mongodb.net/
.
Once the Private Endpoint has been created on the PowerSync side, it will be visible in the instance settings under the connection details, as “VPC Endpoint Hostname”.
Configure the instance the connection string from the previous step, then deploy. Monitor the logs to ensure the instance can connect after deploying.
Custom Endpoint Service for Postgres
To configure a Private Endpoint Service, a network load balancer is required to forward traffic to the database.
This can be used with a Postgres database running on an EC2 instance, or an RDS instance.
For AWS RDS, the guide below does not handle dynamic IPs if the RDS instance’s IP changes. This needs additional work to automatically update the IP - see this AWS blog post on the topic. This is specifically relevant if using an RDS cluster with failover support.
Use the following steps to configure the Endpoint Service:
5432
for Postgres).5432
again).arn:aws:iam::131569880293:root
. See the AWS documentation for details.On PowerSync, create a new instance, but do not configure the connection yet.
Contact us and provide the Service Name from above, as well as the PowerSync instance ID created above. We will then configure the instance to use the Endpoint Service for the database connection.
Once the Private Endpoint has been created on the PowerSync side, it will be visible in the instance settings under the connection details, as “VPC Endpoint Hostname”.
Verify the connection details, and deploy the instance. Monitor the logs to ensure the instance can connect after deploying.
PowerSync currently runs in the AWS regions below. Make sure the region matching your PowerSync instance is supported in by the Endpoint Service.
us-east-1
eu-west-1
sa-east-1
ap-northeast-1
ap-southeast-2
To avoid exposing a database in AWS to the public internet, using AWS Private Endpoints (AWS PrivateLink) is an option that provides private networking between the source database and the PowerSync Service. Private Endpoints are currently available on our Team and Enterprise plans.
We use Private Endpoints instead of VPC peering to ensure that no other resources are exposed between the VPCs.
Do not rely on Private Endpoints as the only form of security. Always use strong database passwords, and use client certificates if additional security is required.
AWS PrivateLink is the overarching feature on AWS.
VPC/Private Endpoint Service is the service that exposes the database, and lives in the same VPC as the source database. It provides a one-way connection to the database without exposing other resources in the VPC.
VPC/Private Endpoint is the endpoint in the PowerSync VPC. This is what the PowerSync instance connects to.
For custom Endpoint Services for Postgres:
AWS PrivateLink in MongoDB Atlas
MongoDB Atlas supports creating an Endpoint Service per project for AWS.
Limitations:
--service-name
option.The Service Name should look something like com.amazonaws.vpce.us-east-1.vpce-svc-0123456
.
Skip the final step of configuring the VPC Endpoint ID - this will be done later.
On PowerSync, create a new instance, but do not configure the connection yet. Copy the Instance ID.
Contact us and provide:
We will then configure the instance to use the Endpoint Service for the database connection, and provide you with a VPC Endpoint ID, in the form vpce-12346
.
On the Atlas Private Endpoint Configuration, in the final step, specify the VPC Endpoint ID from above. If you have already closed the dialog, go through the process of creating a Private Endpoint again. It should have the same Endpoint Service Name as before.
Check that the Endpoint Status changes to Available.
The connection string should look something like mongodb+srv://<db_username>:<db_password>@your-cluster-pl-0.abcde.mongodb.net/
.
Once the Private Endpoint has been created on the PowerSync side, it will be visible in the instance settings under the connection details, as “VPC Endpoint Hostname”.
Configure the instance the connection string from the previous step, then deploy. Monitor the logs to ensure the instance can connect after deploying.
Custom Endpoint Service for Postgres
To configure a Private Endpoint Service, a network load balancer is required to forward traffic to the database.
This can be used with a Postgres database running on an EC2 instance, or an RDS instance.
For AWS RDS, the guide below does not handle dynamic IPs if the RDS instance’s IP changes. This needs additional work to automatically update the IP - see this AWS blog post on the topic. This is specifically relevant if using an RDS cluster with failover support.
Use the following steps to configure the Endpoint Service:
5432
for Postgres).5432
again).arn:aws:iam::131569880293:root
. See the AWS documentation for details.On PowerSync, create a new instance, but do not configure the connection yet.
Contact us and provide the Service Name from above, as well as the PowerSync instance ID created above. We will then configure the instance to use the Endpoint Service for the database connection.
Once the Private Endpoint has been created on the PowerSync side, it will be visible in the instance settings under the connection details, as “VPC Endpoint Hostname”.
Verify the connection details, and deploy the instance. Monitor the logs to ensure the instance can connect after deploying.
PowerSync currently runs in the AWS regions below. Make sure the region matching your PowerSync instance is supported in by the Endpoint Service.
us-east-1
eu-west-1
sa-east-1
ap-northeast-1
ap-southeast-2