> ## Documentation Index
> Fetch the complete documentation index at: https://powersync-document-db.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# Private Endpoints
> Connect PowerSync Cloud to your database over AWS PrivateLink without public internet exposure.
Private Endpoints use [AWS PrivateLink](https://aws.amazon.com/privatelink/) to provide private networking between your source database and the PowerSync Service, without exposing the database to the public internet. They are available on our [Team and Enterprise plans](https://www.powersync.com/pricing) and can be managed in the [PowerSync Dashboard](https://dashboard.powersync.com/) under **Organization settings**.
Do not rely on Private Endpoints as the only form of security. Always use strong database passwords, and use client certificates if additional security is required.
## Current Limitations
1. Private Endpoints are currently only supported for Postgres and MongoDB instances. [Contact us](/resources/contact-us) if you need this for MySQL or SQL Server.
2. Only AWS is supported currently. Other cloud providers are not supported yet.
3. Private Endpoints can currently only be managed in the Dashboard. CLI support is not yet available.
## Concepts
* [AWS PrivateLink](https://aws.amazon.com/privatelink/) is the overarching AWS feature.
* **VPC/Private Endpoint Service** is the service that exposes the database. It lives in the same VPC as the source database and provides a one-way connection without exposing other resources in the VPC.
* **Service Name** is the unique identifier for the Endpoint Service, in the form `com.amazonaws.vpce..vpce-svc-`.
* Each Endpoint Service may have multiple Private Endpoints in different VPCs.
* **VPC/Private Endpoint** is the endpoint in the PowerSync VPC that the PowerSync instance connects to.
* **VPC Endpoint ID** is the identifier of this endpoint, in the form `vpce-`. You use this ID to accept the connection on the Endpoint Service side.
For custom Endpoint Services for Postgres:
* **Network Load Balancer (NLB)** forwards traffic from the Endpoint Service to the source database.
* **Target Group** specifies the IPs and ports the NLB exposes.
* **Listener** describes the incoming port on the NLB (the port the PowerSync instance connects to).
## Private Endpoint Setup
The flow is the same for both supported source databases: configure an Endpoint Service in front of your database, create a matching Private Endpoint in the PowerSync Dashboard, accept the connection, then point your database connection at the endpoint.
Set up an Endpoint Service in front of your source database and copy its **Service Name**.
MongoDB Atlas supports creating an Endpoint Service per project for AWS.
**Limitations:**
1. Only Atlas clusters in AWS are supported.
2. PowerSync does not support PrivateLink for MongoDB clusters self-hosted in AWS, only Atlas clusters.
3. If your cluster is in a newer AWS region, you may not be able to create Private Endpoints until we activate that region. See [AWS Regions](https://docs.aws.amazon.com/global-infrastructure/latest/regions/aws-regions.html#available-regions) for the list of regions enabled by default.
Create an Endpoint Service:
1. In the Atlas project dashboard, go to **Security** → **Database & Network Access** → **Network Access** -> **Private Endpoint**.
2. On the **Dedicated Cluster** tab click **Create endpoint service**.
3. Select **AWS** as the Cloud Provider and the Atlas Region matching your PowerSync cluster.
4. Under **Accepted Endpoint Regions**, select the AWS region where your PowerSync instances are hosted. See [AWS Regions](#aws-regions) for the mapping of PowerSync regions to AWS regions.
5. Click **Create endpoint service**.
6. Wait for the **Endpoint Service** to be created.
7. Copy the **Endpoint Service Name/ID**. You will use this when creating a Private Endpoint in the PowerSync Dashboard.
To expose a Postgres database via PrivateLink, you need a Network Load Balancer that forwards traffic to the database. This works for Postgres running on EC2 or RDS.
For AWS RDS, the steps below do not handle dynamic IPs if the RDS instance's IP changes. This is specifically relevant when using an RDS cluster with failover support. See this [AWS blog post](https://aws.amazon.com/blogs/database/access-amazon-rds-across-vpcs-using-aws-privatelink-and-network-load-balancer/) for handling IP changes automatically.
1. **Create a Target Group**:
1. Obtain the RDS instance's private IP address. Make sure this points to a writable instance.
2. Create a **Target Group** with IP addresses as the target type, using the IP from above. Use TCP protocol and the database port (typically `5432` for Postgres).
2. **Create a Network Load Balancer (NLB)**:
1. Select the same VPC as your RDS instance.
2. Select at least two subnets in different availability zones.
3. Configure a TCP listener on a port of your choice (for example, `5432`).
4. Associate the listener with the target group from the previous step.
3. **Modify the security group** associated with your RDS instance to permit traffic from the load balancer IP range.
4. **Create a VPC Endpoint Service**:
1. In the AWS Management Console, go to the VPC service and select **Endpoint Services**.
2. Click **Create Endpoint Service**.
3. Select the Network Load Balancer from the previous step.
4. If the load balancer is in one of the PowerSync [AWS regions](#aws-regions), you do not need to select any "Supported Region". If the load balancer is in a different region, select the region corresponding to your PowerSync instance. Cross-region support incurs additional AWS charges.
5. Decide whether to require acceptance for endpoint connections. Disabling acceptance simplifies the process but reduces control over connections.
6. Under **Supported IP address types**, select both IPv4 and IPv6.
7. Note the **Service Name**. You will use this when creating the Private Endpoint in the PowerSync Dashboard.
8. Configure the Endpoint Service to accept connections from the principal `arn:aws:iam::131569880293:root`. See the [AWS documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permissions) for details.
In the [PowerSync Dashboard](https://dashboard.powersync.com/), open your organization's **Settings** and locate the **Private Endpoints** section.
1. Click **Create**.
2. Provide the following details:
* **Name**: a recognizable name for the endpoint (for example, `my-private-endpoint`).
* **Service Name**: the Endpoint Service Name from the previous step (for example, `com.amazonaws.vpce.us-east-1.vpce-svc-0123456`).
* **Region**: the PowerSync region to create the Private Endpoint in. This must match the region of the PowerSync instance you plan to use the endpoint with. Note that the region of your underlying AWS PrivateLink Endpoint Service does not need to match.
3. Click **Create**.
4. The endpoint is created in a `Pending Acceptance` state and will only be available once accepted on the Endpoint Service side.
Copy the **VPC Endpoint ID** from the endpoint's card in the Dashboard and use it to accept the connection on the Endpoint Service side.
In the Atlas project dashboard, go to **Security** → **Database & Network Access** → **Network Access** -> **Private Endpoint**.
1. Under the relevant Endpoint Service, click **Add Endpoint**
2. Select **Connect Existing Endpoint**.
3. Enter the **VPC Endpoint ID** you copied from the PowerSync Dashboard.
4. Click **Add endpoint**.
5. Wait for the endpoint to be added.
If you required acceptance when creating the Endpoint Service, go to **VPC** → **Endpoint Services** in the AWS Management Console, select your service, and accept the connection request matching the **VPC Endpoint ID**.
If you disabled acceptance, the connection is accepted automatically and no action is needed here.
The endpoint's status in the Dashboard reflects the AWS connection state:
| Status | Meaning |
| -------------------- | ---------------------------------------------------------------------------------- |
| `Pending acceptance` | Waiting for you to accept the Private Endpoint connection on the Endpoint Service. |
| `Pending` | The Private Endpoint is being provisioned on the Endpoint Service. |
| `Available` | Ready to use. |
| `Rejected` | The Private Endpoint connection was rejected by the Endpoint Service. |
| `Failed` | Private Endpoint creation failed. |
Once the status changes to `Available`, the endpoint can be selected when configuring a database connection.
1. In the Dashboard, open the PowerSync instance and go to the **Database Connections** view.
2. Click **Connect to Source Database** (or edit an existing connection) and select the **Postgres** or **MongoDB** tab.
3. In the **Private Endpoint** dropdown, select your endpoint. Only endpoints in the same region as the instance with status `Available` are selectable.
4. Fill in the rest of the connection details:
* **For Postgres**: enter your database connection details as usual. PowerSync routes traffic through the Private Endpoint to your load balancer.
* **For MongoDB**: on the Atlas cluster, click **Connect**, choose **Private Endpoint** as the connection type, select the provisioned endpoint, choose **Drivers** as the connection method, and copy the resulting connection string. It should look something like `mongodb+srv://:@your-cluster-pl-0.abcde.mongodb.net/`. Paste it into the **URI** field in the Dashboard.
5. Click **Test Connection** and resolve any errors.
6. Click **Save Connection**.
PowerSync deploys and configures an isolated cloud environment for you, which can take a few minutes. Monitor the logs to confirm the instance connects.
## AWS Regions
PowerSync Cloud currently runs in the AWS regions below. Your Endpoint Service can run in any AWS region, as long as it accepts connections from the AWS region of your PowerSync instance. The Private Endpoint itself must be created in the same region as the PowerSync instance.
1. US: `us-east-1`
2. EU: `eu-west-1`
3. BR: `sa-east-1`
4. JP: `ap-northeast-1`
5. AU: `ap-southeast-2`