PostgreSQL RDS Warehouse Setup Guidelink

Choose connection optionlink

Decide whether to connect to your warehouse directly or connect using an SSH tunnel.

To connect using an SSH tunnel, follow these instructions.
To connect directly, configure your firewall and/or other access control systems to allow:
- Incoming connections to your Postgres port (usually 5432) from Fivetran's IP
- Outgoing connections to all ports (1024 to 65535) at Fivetran's IP

Allow accesslink

The Fivetran data processing servers will need access to your database. Assuming your instance is in a VPC, access is controlled by two mechanisms: VPC Security Groups and Network ACLs (Access Control Lists). If your instance is not in a VPC, then you only need to configure Security Groups.

Configure security grouplink

These instructions assume that your database is in a VPC (if not, you can still use these instructions as a guide because configuring a non-VPC security group is almost identical).

Expand the view on the database by clicking the little black triangle:

A panel of details for your database will appear. Write down the database's port number (you will need this later), then click the link to its Security Group:

Database details

In the security group panel, select the "Inbound" tab:

Select inbound tab

Click edit:

Click edit

Click "Add Rule":

Click add rule

A new Custom TCP Rule gets created at the bottom of the list with a blank space for a Port Range and a Source IP address. For the Port, enter your database's port number that you wrote down earlier (usually 5432). For the Source, enter Fivetran's IP:

Add rule

Click "Save":

Click save

Configure Network ACLslink

Return to the RDS Dashboard and expand the view on the database:

Click the link to the database's VPC:

Click vpc

Select the VPC:

Select vpc

In the "Summary" tab, click the "Network ACL" link:

Click network acl

You will see tabs for Inbound Rules and Outbound Rules. We will need to edit both.

Edit inbound ruleslink

Select "Inbound Rules":

Click inbound rules

If you have a default VPC that was automatically created by AWS, then the settings already allow all incoming traffic as indicated by the Source value 0.0.0.0/0 and the fact that the ALLOW entry is listed above the DENY entry:

All are allowed

If your inbound rules don't include an ALL - 0.0.0.0/0 - ALLOW entry, edit the rules to allow Fivetran's IP to access the port number of your database (usually 5432). Help on ACL configuration can be found here.

Edit outbound ruleslink

Select "Outbound Rules":

Select outbound rules

If your outbound rules don't include an ALL - 0.0.0.0/0 - ALLOW entry, edit the rules to allow outbound traffic to all ports 1024-65535 for destination Fivetran's IP

Create userlink

Connect to your Postgres database and run the following query to create a password:

CREATE USER fivetran PASSWORD <password>;

Run the following query to grant the fivetran user the following privileges:

CREATE: Allows the user to create new schemas in the database
TEMPORARY: Allows the user to create temporary tables while using the database

GRANT CREATE, TEMPORARY ON DATABASE <database> TO fivetran;

Documentation