Private Endpoints

MongoDB Atlas supports creating an Endpoint Service per project for AWS.

Limitations:

1. Only Atlas clusters in AWS are supported.
2. The Atlas cluster must be in one of the PowerSync AWS regions - see the list below. Cross-region endpoints are not yet supported by MongoDB Atlas.

1. Configure the Endpoint Service

1. In the Atlas project dashboard, go to Network Access → Private Endpoint → Dedicated Cluster.
2. Select “Add Private Endpoint”.
3. Select AWS and the relevant AWS region.
4. Wait for the Endpoint Service to be created.
5. “Your VPC ID” and “Your Subnet IDs” are not relevant for PowerSync - leave those blank.
6. Avoid running the command to create the “VPC Interface Endpoint”; this step is handled by PowerSync.
7. Note the Endpoint Service Name. This is displayed in the command to run, as the --service-name option.

The Service Name should look something like com.amazonaws.vpce.us-east-1.vpce-svc-0123456.

2. Get the connection string

1. On the Atlas Cluster, select “Connect”.
2. Select “Private Endpoint” as the connection type.
3. Select “Drivers” as the connection method, and copy the connection string.

The connection string should look something like mongodb+srv://<db_username>:<db_password>@your-cluster-pl-0.abcde.mongodb.net/.

3. PowerSync Setup

On PowerSync, create a new instance, but do not configure the connection yet. Copy the Instance ID.

Contact us and provide:

1. The Endpoint Service Name.
2. The MongoDB connection string.
3. The PowerSync Instance ID.

We will then configure the instance to use the Endpoint Service for the database connection, and provide you with a VPC Endpoint ID, in the form vpce-12346.

4. Finish Atlas Endpoint Service Setup

On the Atlas Private Endpoint Configuration, in the final step, specify the VPC Endpoint ID from above. If you have already closed the dialog, go through the process of creating a Private Endpoint again. It should have the same Endpoint Service Name as before.

Check that the Endpoint Status changes to Available.

5. Deploy

Once the Private Endpoint has been created on the PowerSync side, it will be visible in the instance settings under the connection details, as “VPC Endpoint Hostname”.

Verify the connection details, and deploy the instance. Monitor the logs to ensure the instance can connect after deploying.

To configure a Private Endpoint Service, a network load balancer is required to forward traffic to the database.

This can be used with a Postgres database running on an EC2 instance, or an RDS instance.

For AWS RDS, the guide below does not handle dynamic IPs if the RDS instance’s IP changes. This needs additional work to automatically update the IP - see this AWS blog post on the topic. This is specifically relevant if using an RDS cluster with failover support.

Use the following steps to configure the Endpoint Service:

1. Create a Target Group

1. Obtain the RDS Instance’s private IP address. Make sure this points to a writable instance.
2. Create a Target Group with IP addresses as target type, using the IP address from above. Use TCP protocol, and specify the database port (typically 5432 for Postgres).
3. Note: The IP address of your RDS instance may change over time. To maintain a consistent connection, consider implementing automation to monitor and update the target group’s IP address as needed. See the AWS blog post on the topic.

2. Create a Network Load Balancer (NLB)

1. Select the same VPC as your RDS instance.
2. Choose at least two subnets in different availability zones.
3. Configure a TCP listener and pick a port (for example 5432 again).
4. Associate the listener with the target group created earlier.

3. Modify the security group

1. Modify the security group associated with your RDS instance to permit traffic from the load balancer IP range.

4. Create a VPC Endpoint Service

1. In the AWS Management Console, navigate to the VPC service and select Endpoint Services.
2. Click on “Create Endpoint Service”.
3. Select the Network Load Balancer created in the previous step.
4. If the load balancer is in one of the PowerSync regions (see below), it is not required to select any “Supported Region”. If the load balancer is in a different region, select the region corresponding to your PowerSync instance here. Note that this will incur additional AWS charges for the cross-region support.
5. Decide whether to require acceptance for endpoint connections. Disabling acceptance can simplify the process but may reduce control over connections.
6. Under “Supported IP address types”, select both IPv4 and IPv6.
7. After creating the endpoint service, note the Service Name. This identifier will be used when configuring PowerSync to connect via PrivateLink.
8. Configure the Endpoint Service to accept connections from the principal arn:aws:iam::131569880293:root. See the AWS documentation for details.

5. PowerSync Setup

On PowerSync, create a new instance, but do not configure the connection yet.

Contact us and provide the Service Name from above, as well as the PowerSync instance ID created above. We will then configure the instance to use the Endpoint Service for the database connection.

6. Deploy

Once the Private Endpoint has been created on the PowerSync side, it will be visible in the instance settings under the connection details, as “VPC Endpoint Hostname”.

Verify the connection details, and deploy the instance. Monitor the logs to ensure the instance can connect after deploying.