To avoid putting unnecessary load on your primary database during data transfer, we recommend connecting to a read replica. Step 1 covers creating one on AWS. This step is optional, and you can connect directly to your primary instance if you prefer.
Step 1: Create a read replica (optional)
- AWS RDS
- AWS Aurora
Create the read replica
In your Amazon RDS dashboard, click the PostgreSQL instance you want to replicate. On the database page, click Actions, then select Create read replica from the drop-down.
Choose an instance size
In the Instance specifications section, specify the instance type for the read replica. It can be smaller than the main instance.
Make the replica reachable
In the Network & Security section, under Publicly accessible, select Yes so that the read replica is reachable from outside your VPC. It remains accessible only through whitelisted IPs. If you plan to connect through an SSH tunnel, you can leave this set to No.
Step 2: Allow network access
Allow read access to your PostgreSQL database, or to the read replica you created in Step 1, from the static IP. Reach out to your account representative for the static IP address to use.- AWS RDS or Aurora
- Other environments
Configure the security group
Note the endpoint and port
In your Amazon RDS > Databases list, click the PostgreSQL instance you want to connect. In the Connectivity & security tab, make a note of the Endpoint and the Port number.
Open the VPC security group
Click one of the VPC security groups (usually 
default). VPC groups are permissive rather than restrictive, so for instances with multiple security groups, only one needs the new inbound rule.Add an inbound rule
Select the Inbound rules tab, click Edit inbound rules, then click Add rule. Set the rule type to Custom TCP, set the Port range to the port you noted (usually 
5432), and set a Custom Source value that includes the static IP. You need to add /32 to the end of the IP to express it in CIDR notation. Click Save rules.Configure the network ACL
For database instances in a VPC, you also need to allow traffic at the network ACL level.Open the VPC
In your RDS dashboard, select the PostgreSQL instance, then click the link to the instance’s VPC.
Open the main network ACL
Click the VPC ID. In the Details section, click the link under Main network ACL, then click the network ACL ID.
Edit the inbound rules
Click the Inbound rules tab and check for an existing rule with a Source of 
0.0.0.0/0 set to Allow. This is a default rule created by AWS, and if it already exists, you can skip to the outbound rules. Otherwise, click Edit inbound rules, add a rule allowing access to your database port (usually 5432) from the static IP, and click Save changes.Edit the outbound rules
Select the Outbound rules tab and check for an existing rule with a Destination of 
0.0.0.0/0 set to Allow. This is a default rule created by AWS, and if it already exists, you are done. Otherwise, click Edit outbound rules and add a rule allowing outbound traffic to ports 1024 to 65535 for Destination 0.0.0.0/0.Step 3: Create a read-only user
Create the user
Create a dedicated user by running the following command. Replace
<username> and <password> with values of your choice.Grant read-only access
Grant the user read-only access to the specific tables you want to sync. Replace Repeat this for every schema that contains tables you want to sync.
<schema_name> with the schema that contains those tables, and grant SELECT on each table individually.To grant access to every table in a schema instead of listing tables individually, grant
SELECT on all tables in the schema.Step 4: Submit your connection details
Provide the following details to complete the source setup:- The name is a descriptive name of the source.
- The host (for example,
your-db.sd8jekhrlkhla.us-east-1.rds.amazonaws.com). - The port (most likely
5432). - The database you want to read from.
- The schema from Step 3.
- The username from Step 3.
- The password from Step 3.