PowerSync Cloud: AWS Private Endpoints
To avoid exposing a database in AWS to the public internet, using AWS Private Endpoints (AWS PrivateLink) is an option that provides private networking between the source database and the PowerSync Service. Private Endpoints are currently available on our Team and Enterprise plans. We use Private Endpoints instead of VPC peering to ensure that no other resources are exposed between the VPCs.Do not rely on Private Endpoints as the only form of security. Always use strong database passwords, and use client certificates if additional security is required.
Current Limitations
- Private Endpoints are currently only supported for Postgres and MongoDB instances. Contact us if you need this for MySQL.
- Self-service is not yet available on the PowerSync side — contact PowerSync support to configure the instance.
- Only AWS is supported currently — other cloud providers are not supported yet.
- The “Test Connection” function on the PowerSync Dashboard is not supported yet - the instance has to be deployed to test the connection.
Concepts
- AWS PrivateLink is the overarching feature on AWS.
-
VPC/Private Endpoint Service is the service that exposes the database, and lives in the same VPC as the source database. It provides a one-way connection to the database without exposing other resources in the VPC.
- Endpoint Service Name is a unique identifier for this Endpoint Service.
- Each Endpoint Service may have multiple Private Endpoints in different VPCs.
- VPC/Private Endpoint is the endpoint in the PowerSync VPC. This is what the PowerSync instance connects to.
- Network Load Balancer (NLB) is a load balancer that exposes the source database to the Endpoint Service.
- Target Group specifies the IPs and ports for the Network Load Balancer to expose.
- Listener for the Network Load Balancer is what describes the incoming port on the Network Load Balancer (the port that the PowerSync instance connects to).
Private Endpoint Setup
AWS PrivateLink in MongoDB Atlas
AWS PrivateLink in MongoDB Atlas
MongoDB Atlas supports creating an Endpoint Service per project for AWS.Limitations:
- Only Atlas clusters in AWS are supported.
- The Atlas cluster must be in one of the PowerSync AWS regions - see the list below. Cross-region endpoints are not yet supported by MongoDB Atlas.
- This is only supported for Atlas clusters - PowerSync does not support PrivateLink for MongoDB clusters self-hosted in AWS.
1. Configure the Endpoint Service
- In the Atlas project dashboard, go to Network Access → Private Endpoint → Dedicated Cluster.
- Select “Add Private Endpoint”.
- Select AWS and the relevant AWS region.
- Wait for the Endpoint Service to be created.
- “Your VPC ID” and “Your Subnet IDs” are not relevant for PowerSync - leave those blank.
- Avoid running the command to create the “VPC Interface Endpoint”; this step is handled by PowerSync.
- Note the Endpoint Service Name. This is displayed in the command to run, as the
--service-nameoption.
com.amazonaws.vpce.us-east-1.vpce-svc-0123456.Skip the final step of configuring the VPC Endpoint ID - this will be done later.2. PowerSync Setup
On PowerSync, create a new instance, but do not configure the connection yet. Copy the Instance ID.Contact us and provide:- The Endpoint Service Name.
- The PowerSync Instance ID.
vpce-12346.3. Finish Atlas Endpoint Service Setup
On the Atlas Private Endpoint Configuration, in the final step, specify the VPC Endpoint ID from above. If you have already closed the dialog, go through the process of creating a Private Endpoint again. It should have the same Endpoint Service Name as before.Check that the Endpoint Status changes to Available.4. Get the Connection String
- On the Atlas Cluster, select “Connect”.
- Select “Private Endpoint” as the connection type, and select the provisioned endpoint.
- Select “Drivers” as the connection method, and copy the connection string.
mongodb+srv://<db_username>:<db_password>@your-cluster-pl-0.abcde.mongodb.net/.5. Deploy
Once the Private Endpoint has been created on the PowerSync side, it will be visible in the instance settings under the connection details, as “VPC Endpoint Hostname”.Configure the instance the connection string from the previous step, then deploy. Monitor the logs to ensure the instance can connect after deploying.Custom Endpoint Service for Postgres
Custom Endpoint Service for Postgres
To configure a Private Endpoint Service, a network load balancer is required to forward traffic to the database.This can be used with a Postgres database running on an EC2 instance, or an RDS instance.For AWS RDS, the guide below does not handle dynamic IPs if the RDS instance’s IP changes. This needs additional work to automatically update the IP - see this AWS blog post on the topic. This is specifically relevant if using an RDS cluster with failover support.Use the following steps to configure the Endpoint Service:
1. Create a Target Group
- Obtain the RDS Instance’s private IP address. Make sure this points to a writable instance.
- Create a Target Group with IP addresses as target type, using the IP address from above. Use TCP protocol, and specify the database port (typically
5432for Postgres). - Note: The IP address of your RDS instance may change over time. To maintain a consistent connection, consider implementing automation to monitor and update the target group’s IP address as needed. See the AWS blog post on the topic.
2. Create a Network Load Balancer (NLB)
- Select the same VPC as your RDS instance.
- Choose at least two subnets in different availability zones.
- Configure a TCP listener and pick a port (for example
5432again). - Associate the listener with the target group created earlier.
3. Modify the Security Group
- Modify the security group associated with your RDS instance to permit traffic from the load balancer IP range.
4. Create a VPC Endpoint Service
- In the AWS Management Console, navigate to the VPC service and select Endpoint Services.
- Click on “Create Endpoint Service”.
- Select the Network Load Balancer created in the previous step.
- If the load balancer is in one of the PowerSync regions (see below), it is not required to select any “Supported Region”. If the load balancer is in a different region, select the region corresponding to your PowerSync instance here. Note that this will incur additional AWS charges for the cross-region support.
- Decide whether to require acceptance for endpoint connections. Disabling acceptance can simplify the process but may reduce control over connections.
- Under “Supported IP address types”, select both IPv4 and IPv6.
- After creating the endpoint service, note the Service Name. This identifier will be used when configuring PowerSync to connect via PrivateLink.
- Configure the Endpoint Service to accept connections from the principal
arn:aws:iam::131569880293:root. See the AWS documentation for details.
5. PowerSync Setup
On PowerSync, create a new instance, but do not configure the connection yet.Contact us and provide the Service Name from above, as well as the PowerSync instance ID created above. We will then configure the instance to use the Endpoint Service for the database connection.6. Deploy
Once the Private Endpoint has been created on the PowerSync side, it will be visible in the instance settings under the connection details, as “VPC Endpoint Hostname”.Verify the connection details, and deploy the instance. Monitor the logs to ensure the instance can connect after deploying.AWS Regions
PowerSync currently runs in the AWS regions below. Make sure the region matching your PowerSync instance is supported in by the Endpoint Service.- US:
us-east-1 - EU:
eu-west-1 - BR:
sa-east-1 - JP:
ap-northeast-1 - AU:
ap-southeast-2