You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Private Endpoints no longer require contacting support. Add a Private
Endpoints subsection under PowerSync Cloud Setup covering the self-serve
dashboard flow, endpoint status table, and current limitations.
@@ -206,6 +207,35 @@ For full CLI setup workflow, see `references/powersync-cli.md` → Cloud Usage.
206
207
207
208
See [PowerSync Cloud Instances](https://docs.powersync.com/configuration/powersync-service/cloud-instances.md) for detailed dashboard step-by-step instructions.
208
209
210
+
## Private Endpoints
211
+
212
+
> Load this section only when the operator needs to connect PowerSync Cloud to a source database over AWS PrivateLink without public internet exposure.
213
+
214
+
Private Endpoints use AWS PrivateLink for private networking between your source database and PowerSync Cloud. Available on Team/Enterprise plans. **Dashboard-only — no CLI support yet.** Only AWS is supported; only Postgres (via custom Endpoint Service) and MongoDB Atlas are supported.
215
+
216
+
**Setup flow:**
217
+
218
+
1. **Configure an Endpoint Service** in front of your source database and copy its **Service Name** (`com.amazonaws.vpce.<region>.vpce-svc-<id>`):
219
+
- *MongoDB Atlas*: Security → Database & Network Access → Network Access → Private Endpoint → Dedicated Cluster → Create endpoint service. Select the Atlas region matching your PowerSync cluster and the PowerSync AWS region under Accepted Endpoint Regions.
220
+
- *Custom Postgres*: Create a Target Group (IP type, TCP, port 5432) → Network Load Balancer → VPC Endpoint Service. Allow principal `arn:aws:iam::131569880293:root` to connect.
221
+
2. **Create the Private Endpoint in the Dashboard**: Dashboard → Organization Settings → Private Endpoints → Create. Provide a name, the Service Name from step 1, and the PowerSync region matching your instance. The endpoint starts in `Pending Acceptance` state.
222
+
3. **Copy the VPC Endpoint ID** (`vpce-<id>`) from the Dashboard and accept the connection on the Endpoint Service:
223
+
- *Atlas*: Network Access → Private Endpoint → Add Endpoint → Connect Existing Endpoint → enter the VPC Endpoint ID.
224
+
- *Custom Postgres*: AWS Console → VPC → Endpoint Services → accept the connection request matching the VPC Endpoint ID (only needed if you required acceptance when creating the service).
225
+
4. **Wait for `Available`** status in the Dashboard:
226
+
227
+
| Status | Meaning |
228
+
|--------|---------|
229
+
| `Pending acceptance` | Waiting for you to accept the connection on the Endpoint Service. |
230
+
| `Pending` | Being provisioned. |
231
+
| `Available` | Ready to use. |
232
+
| `Rejected` | Rejected by the Endpoint Service. |
233
+
| `Failed` | Creation failed. |
234
+
235
+
5. **Connect using the Private Endpoint**: Instance → Database Connections → select the endpoint in the Private Endpoint dropdown (only `Available` endpoints in the same region are selectable). For MongoDB Atlas, use the connection string from the Atlas Connect dialog with Private Endpoint selected as the connection type.
236
+
237
+
**AWS regions supported:** `us-east-1`, `eu-west-1`, `sa-east-1`, `ap-northeast-1`, `ap-southeast-2`. The Private Endpoint must be in the same region as the PowerSync instance.
238
+
209
239
## Source Database Setup
210
240
211
241
Important: For all database user creation below, generate a cryptographically secure password (e.g., `openssl rand -base64 32` or a password manager). Never use placeholder values like `secure_password`, `password`, or `admin123` in production — these are unsafe and must not be suggested to the operator.
0 commit comments