Private Endpoints - PowerSync

Private Endpoints use AWS PrivateLink to provide private networking between your source database and the PowerSync Service, without exposing the database to the public internet. They are available on our Team and Enterprise plans and can be managed in the PowerSync Dashboard under Organization settings.

Do not rely on Private Endpoints as the only form of security. Always use strong database passwords, and use client certificates if additional security is required.

Current Limitations

Private Endpoints are currently only supported for Postgres and MongoDB instances. Contact us if you need this for MySQL or SQL Server.
Only AWS is supported currently. Other cloud providers are not supported yet.
Private Endpoints can currently only be managed in the Dashboard. CLI support is not yet available.

Concepts

AWS PrivateLink is the overarching AWS feature.
VPC/Private Endpoint Service is the service that exposes the database. It lives in the same VPC as the source database and provides a one-way connection without exposing other resources in the VPC.
- Service Name is the unique identifier for the Endpoint Service, in the form com.amazonaws.vpce.<region>.vpce-svc-<id>.
- Each Endpoint Service may have multiple Private Endpoints in different VPCs.
VPC/Private Endpoint is the endpoint in the PowerSync VPC that the PowerSync instance connects to.
- VPC Endpoint ID is the identifier of this endpoint, in the form vpce-<id>. You use this ID to accept the connection on the Endpoint Service side.

For custom Endpoint Services for Postgres:

Network Load Balancer (NLB) forwards traffic from the Endpoint Service to the source database.
- Target Group specifies the IPs and ports the NLB exposes.
- Listener describes the incoming port on the NLB (the port the PowerSync instance connects to).

Private Endpoint Setup

The flow is the same for both supported source databases: configure an Endpoint Service in front of your database, create a matching Private Endpoint in the PowerSync Dashboard, accept the connection, then point your database connection at the endpoint.

Configure an Endpoint Service

Set up an Endpoint Service in front of your source database and copy its Service Name.

MongoDB Atlas
Custom Endpoint Service for Postgres

MongoDB Atlas supports creating an Endpoint Service per project for AWS.Limitations:

Only Atlas clusters in AWS are supported.
PowerSync does not support PrivateLink for MongoDB clusters self-hosted in AWS, only Atlas clusters.
If your cluster is in a newer AWS region, you may not be able to create Private Endpoints until we activate that region. See AWS Regions for the list of regions enabled by default.

Create an Endpoint Service:

In the Atlas project dashboard, go to Security → Database & Network Access → Network Access -> Private Endpoint.
On the Dedicated Cluster tab click Create endpoint service.
Select AWS as the Cloud Provider and the Atlas Region matching your PowerSync cluster.
Under Accepted Endpoint Regions, select the AWS region where your PowerSync instances are hosted. See AWS Regions for the mapping of PowerSync regions to AWS regions.
Click Create endpoint service.
Wait for the Endpoint Service to be created.
Copy the Endpoint Service Name/ID. You will use this when creating a Private Endpoint in the PowerSync Dashboard.

To expose a Postgres database via PrivateLink, you need a Network Load Balancer that forwards traffic to the database. This works for Postgres running on EC2 or RDS.

For AWS RDS, the steps below do not handle dynamic IPs if the RDS instance’s IP changes. This is specifically relevant when using an RDS cluster with failover support. See this AWS blog post for handling IP changes automatically.

Create a Target Group:
1. Obtain the RDS instance’s private IP address. Make sure this points to a writable instance.
2. Create a Target Group with IP addresses as the target type, using the IP from above. Use TCP protocol and the database port (typically 5432 for Postgres).
Create a Network Load Balancer (NLB):
1. Select the same VPC as your RDS instance.
2. Select at least two subnets in different availability zones.
3. Configure a TCP listener on a port of your choice (for example, 5432).
4. Associate the listener with the target group from the previous step.
Modify the security group associated with your RDS instance to permit traffic from the load balancer IP range.
Create a VPC Endpoint Service:
1. In the AWS Management Console, go to the VPC service and select Endpoint Services.
2. Click Create Endpoint Service.
3. Select the Network Load Balancer from the previous step.
4. If the load balancer is in one of the PowerSync AWS regions, you do not need to select any “Supported Region”. If the load balancer is in a different region, select the region corresponding to your PowerSync instance. Cross-region support incurs additional AWS charges.
5. Decide whether to require acceptance for endpoint connections. Disabling acceptance simplifies the process but reduces control over connections.
6. Under Supported IP address types, select both IPv4 and IPv6.
7. Note the Service Name. You will use this when creating the Private Endpoint in the PowerSync Dashboard.
8. Configure the Endpoint Service to accept connections from the principal arn:aws:iam::131569880293:root. See the AWS documentation for details.

Create the Private Endpoint in the Dashboard

In the PowerSync Dashboard, open your organization’s Settings and locate the Private Endpoints section.

Click Create.
Provide the following details:
- Name: a recognizable name for the endpoint (for example, my-private-endpoint).
- Service Name: the Endpoint Service Name from the previous step (for example, com.amazonaws.vpce.us-east-1.vpce-svc-0123456).
- Region: the PowerSync region to create the Private Endpoint in. This must match the region of the PowerSync instance you plan to use the endpoint with.
Click Create.
The endpoint is created in a Pending Acceptance state and will only be available once accepted on the Endpoint Service side.

A Private Endpoint can only be used by PowerSync instances in the same region. Endpoints in other regions will not appear in the connection form.

Accept the connection on the Endpoint Service

Copy the VPC Endpoint ID from the endpoint’s card in the Dashboard and use it to accept the connection on the Endpoint Service side.

MongoDB Atlas
Custom Endpoint Service for Postgres

In the Atlas project dashboard, go to Security → Database & Network Access → Network Access -> Private Endpoint.

Under the relevant Endpoint Service, click Add Endpoint
Select Connect Existing Endpoint.
Enter the VPC Endpoint ID you copied from the PowerSync Dashboard.
Click Add endpoint.
Wait for the endpoint to be added.

Wait for the endpoint to become Available

The endpoint’s status in the Dashboard reflects the AWS connection state:

Status	Meaning
`Pending acceptance`	Waiting for you to accept the Private Endpoint connection on the Endpoint Service.
`Pending`	The Private Endpoint is being provisioned on the Endpoint Service.
`Available`	Ready to use.
`Rejected`	The Private Endpoint connection was rejected by the Endpoint Service.
`Failed`	Private Endpoint creation failed.

Once the status changes to Available, the endpoint can be selected when configuring a database connection.

Connect your database using the Private Endpoint

In the Dashboard, open the PowerSync instance and go to the Database Connections view.
Click Connect to Source Database (or edit an existing connection) and select the Postgres or MongoDB tab.
In the Private Endpoint dropdown, select your endpoint. Only endpoints in the same region as the instance with status Available are selectable.
Fill in the rest of the connection details:
- For Postgres: enter your database connection details as usual. PowerSync routes traffic through the Private Endpoint to your load balancer.
- For MongoDB: on the Atlas cluster, click Connect, choose Private Endpoint as the connection type, select the provisioned endpoint, choose Drivers as the connection method, and copy the resulting connection string. It should look something like mongodb+srv://<db_username>:<db_password>@your-cluster-pl-0.abcde.mongodb.net/. Paste it into the URI field in the Dashboard.
Click Test Connection and resolve any errors.
Click Save Connection.

PowerSync deploys and configures an isolated cloud environment for you, which can take a few minutes. Monitor the logs to confirm the instance connects.

AWS Regions

PowerSync Cloud currently runs in the AWS regions below. Make sure that your Endpoint Service accepts connections from the relevant AWS region, and that the Private Endpoint is created in the same region as the PowerSync instance.

US: us-east-1
EU: eu-west-1
BR: sa-east-1
JP: ap-northeast-1
AU: ap-southeast-2

Documentation Index

​Current Limitations

​Concepts

​Private Endpoint Setup

​AWS Regions

Current Limitations

Concepts

Private Endpoint Setup

AWS Regions