Generic PostgreSQL Setup Guide

Fivetran connects directly to your database instance. This is the simplest method.

If you connect directly, you will create a rule in a security group that allows Fivetran access to your database instance.

Fivetran connects to a separate server in your network that provides an SSH tunnel to your database. You must connect through SSH if your database resides in an inaccessible subnet.

If you connect using SSH:

• configure your SSH tunnel server's security group to allow Fivetran access
• configure your database's security to allow access from the tunnel

Before you proceed to the next step, you must follow our SSH connection instructions.

IMPORTANT: You must have a Business Critical plan to use private networking.

Private networking enables communication between private networks and services without exposing traffic to the public internet. Private networking is the most secure connection method. We support the following providers:

• AWS PrivateLink – used for VPCs and AWS-hosted or on-premises services. See our AWS PrivateLink setup guide for details
• Azure PrivateLink – used for Virtual Networks (VNets) and Azure-hosted or on-premises services. See our Azure PrivateLink setup guide for details
• Google Cloud Private Service Connect – used for VPCs and Google-hosted or on-premises services. See our Google Cloud Private Service Connect setup guide for details

Fivetran connects to your database through the Proxy Agent, providing secure communication between Fivetran processes and your database host. The Proxy Agent is installed in your network and creates an outbound network connection to the Fivetran-managed SaaS.

To learn more about the Proxy Agent, how to install it, and how to configure it, see our Proxy Agent documentation.

IMPORTANT: You can only enable logical replication if your PostgreSQL version is 10 or later. If you want to use logical replication on a read replica, your PostgreSQL version must be 16 or later.

Logical replication is based on logical decoding of the PostgreSQL write-ahead log (WAL). Fivetran reads the WAL using the pgoutput plugin to detect any new or changed data. This plugin replicates from your custom publication without needing additional libraries.

To learn more, see our logical replication documentation.

The XMIN method is based on the hidden xmin system column that is present in all PostgreSQL tables. With XMIN, Fivetran must scan every table in full to detect updated data. We do not recommend XMIN for near real-time data needs because XMIN replication is slower than logical replication and doesn't allow Fivetran to detect deleted rows.

Learn more in our XMIN documentation.

Fivetran Teleport Sync is a proprietary incremental sync method that can add delete capture with no additional setup other than a read-only SQL connection. Updates will be captured using the XMIN system column.

Learn more in our Fivetran Teleport Sync documentation.

If you want to limit Fivetran's access to your tables, grant the Fivetran user access to only the tables that you would like to sync. You must individually grant access for each table that you want to sync. You cannot grant access to all tables and then revoke access for a subset of tables.

1. Ensure that the Fivetran user has access to the schema that contains your table(s).

   GRANT USAGE ON SCHEMA "some_schema" TO <username>;
   

2. Revoke any previously granted permission to all tables in that schema.

   ALTER DEFAULT PRIVILEGES IN SCHEMA "some_schema" REVOKE SELECT ON TABLES FROM <username>;
   REVOKE SELECT ON ALL TABLES IN SCHEMA "some_schema" FROM <username>;
   

3. Repeat the following command for each table you want Fivetran to sync.

   GRANT SELECT ON "some_schema"."some_table" TO <username>;
   

4. By default, any tables that you create in the future will be excluded from the Fivetran user's access. To grant access to new tables, run the following command.

   ALTER DEFAULT PRIVILEGES IN SCHEMA "some_schema" GRANT SELECT ON TABLES TO <username>;
   

If you want to limit Fivetran's access to the columns in your tables, grant the Fivetran user access to only certain columns.

1. Revoke any previously granted permission to read all columns in the table.

   REVOKE SELECT ON "some_schema"."some_table" FROM <username>;
   

2. Grant permission to the specific columns you want to sync (for example, some_column and other_column).

   IMPORTANT: If you chose XMIN as your incremental sync method, you must grant us access to the hidden system column xmin. While it's not mandatory, you can also grant us access to the hidden system column ctid to make your initial sync faster.

   GRANT SELECT (xmin, ctid, some_column, other_column) ON "some_schema"."some_table" TO <username>;
   

Once you restrict access to columns within a table, the Fivetran user will not have access to any new columns added to that table in the future. To grant access to new columns, you must rerun the command above.

To enable logical replication, follow these steps:

1. Go to your PostgreSQL database.

2. Ensure that your server has ample free space for the logs. As soon as Fivetran processes a log, we delete it. However, we don't delete logs if the sync is interrupted (for example, if we lose access to your database). In this case, logs may accumulate on your server and consume additional storage. The amount of additional disk space that these logs consume is proportional to the number of changes committed on the server. If we can't resume a lost connection quickly enough and you need more disk space, you can drop the replication slot, which deletes its unconsumed logs.

3. Ensure that the statement_timeout setting on your server is either 0 (the default value to disable the timeout) or greater than 5 minute.

4. Set the wal_level parameter in your database configuration to logical. For a standard PostgreSQL database, do this by adding a wal_level = logical line to the postgresql.conf1 file. Restart the server for this change to take effect.

5. Ensure that your max_replication_slots value is equal to or higher than the number of PostgreSQL connectors that use logical replication plus the number of other replication slots your database uses.

6. Set the wal_sender_timeout parameter in your database configuration to 0 to disable the timeout.

7. Add a record to your pg_hba.conf file that allows your database to authenticate Fivetran's connection to the WAL.

8. Go to the postgresql.conf file and ensure that the max_wal_senders parameter, which specifies the maximum number of concurrent connections to the WAL, is at least twice the total number of logical replication slots. For example, if your database uses 11 replication slots in total, then the max_wal_senders value must be 22 or greater.

9. Use a PostgreSQL console (such as a SQL workbench or psql) to log in to your primary database as a superuser.

10. Create a publication for your tables. If you want, you can create a publication for only certain tables so that you add or remove tables from the publication later on. Only changes from tables in the publication are replicated to Fivetran. Each database can have multiple distinct publications. You must have CREATE privileges or above to run this command.

    IMPORTANT: The publication name fivetran_pub quoted throughout this guide is used purely as an example. The actual publication name should be unique for every database and cannot start with a number.

    CREATE PUBLICATION fivetran_pub FOR TABLE table2, table4, table8;
    

    To add or remove a table from a publication, run the following command. You must have ownership rights over the table(s).

    ALTER PUBLICATION fivetran_pub ADD/DROP TABLE table_name;
    

    Alternatively, you can create a publication for all of your tables. However, you cannot remove any table from this publication later on. You must have superuser privileges to run this command.

     CREATE PUBLICATION fivetran_pub FOR ALL TABLES;
    

    (Optional) You can choose which operations to include in the publication. For example, the following publication includes only INSERT and UPDATE operations.

    CREATE PUBLICATION insert_only_pub FOR TABLE table1 WITH (publish = 'INSERT, UPDATE');
    

    To add partitioned tables for PostgreSQL version 13 or later, run the following command to enable publish_via_partition_root.

    CREATE PUBLICATION fivetran_pub FOR ALL TABLES WITH (publish_via_partition_root=true);
    

11. Create a logical replication slot for the database you want to sync by running the following command. You must use the standard output plugin pgoutput. Ensure that you are connected to the correct database when you create your replication slot, or your connector will not be able to find the slot.

    IMPORTANT: You must create a unique replication slot for every connector that uses the same PostgreSQL cluster. Replication slot names cannot start with a number. (The replication slot name fivetran_pgoutput_slot quoted throughout this guide is used purely as an example.)

    IMPORTANT: You need to create the replication slot after you have created the publication.

    SELECT pg_create_logical_replication_slot('fivetran_pgoutput_slot', 'pgoutput');
    

    NOTE: If your PostgreSQL server version is 16 or later and you want to sync from a standby, create the replication slot in the read replica.

12. Verify that your chosen tables are in the publication.

    SELECT * FROM pg_publication_tables;
    

13. Grant the Fivetran user permission to read the replication slot.

    ALTER ROLE <username> WITH REPLICATION;
    

14. Log in as the Fivetran user.

15. Verify that the Fivetran user can read the replication slot by running the following command. Replace fivetran_pgoutput_slot with your replication slot name and fivetran_pub with the publication name.

    SELECT count(*) FROM pg_logical_slot_peek_binary_changes('fivetran_pgoutput_slot', null, null, 'proto_version', '1', 'publication_names', 'fivetran_pub');
    

    If the query succeeds, then permissions are sufficient.

IMPORTANT: You must periodically tune the checkpoint_timeout and max_wal_size parameters based on your PostgreSQL database operations. If you do not, you may experience replication failures. To learn how to tune, read this tuning checkpoints documentation.

The XMIN method is based on the hidden xmin system column that is present in all PostgreSQL tables.

We recommend that you filter frozen pages from incremental syncs. Filtering makes incremental syncs significantly shorter, which means that we use fewer resources in your source database.

(Optional) To filter frozen pages, run the following commands on your primary database as a superuser:

CREATE EXTENSION pg_visibility;

CREATE SCHEMA fivetran;

CREATE OR REPLACE FUNCTION fivetran.get_all_pages(v_table_name character varying)

RETURNS TABLE (
    pagenumber integer,
    all_visible_yn boolean,
    all_frozen_yn boolean)
LANGUAGE plpgsql
SECURITY definer

AS $function$
declare
begin
    RETURN QUERY
    SELECT blkno::int as pageNumber,
           all_visible as all_visible_yn,
           all_frozen as all_frozen_yn
    FROM pg_visibility_map($1::regclass);
END;
$function$;

GRANT USAGE ON SCHEMA fivetran TO <username>;

GRANT EXECUTE ON FUNCTION fivetran.get_all_pages TO <username>;

To connect to a standby or read replica, run the following SQL command on your primary database as the Fivetran user:

CREATE AGGREGATE BIT_XOR(IN v bigint) (SFUNC = int8xor, STYPE = bigint);

NOTE: You must run the command above in the parent database because you cannot create new objects in read replicas. This command propagates the function to the read-only replica.

If you are not connecting with a read replica, you do not need to do any additional configuration. The aggregate that the Teleport mechanism will later use is automatically created for you.