> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prequel.co/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS RDS

> Configure an AWS RDS PostgreSQL database as a Prequel source.

Follow these steps to configure your source database and connect to Prequel. **Step 1** (creating a read replica) is optional, but will ensure the Prequel service does not put any unnecessary load on your primary database during data transfer.

<Steps>
  <Step title="Create read replica (optional)">
    1. In your Amazon RDS Dashboard, click the PostgreSQL instance you want to replicate.
    2. On the database page, click **Actions**, then select **Create read replica** from the drop down.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/rds-create-read-replica.png "create read replica.png")
    </Frame>

    3. In the **Instance specifications** sections, specify the instance type for the read replica. It can be smaller than the main instance.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/rds-instance-class-small.png "instance class small.png")
    </Frame>

    4. In the **Network & Security** section, under **Publicly accessible** select **Yes** to ensure that the read replica is accessible from outside your VPC. Note that it is still only accessible through whitelisted IPs at this point.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/rds-publicly-accessible-yes.png "publicly accessible yes.png")
    </Frame>

    5. In the **Settings** section, enter a **DB instance identifier**. For example, `source-transfer-service-read-replica`.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/rds-read-replica-identifier.png "read replica settings.png")
    </Frame>

    6. Click **Create read replica**.
    7. The read replica will now start `creating`.
  </Step>

  <Step title="Allow access">
    Allow write access to a portion of your Aurora PostgreSQL database or the reader you created in Step 1.

    ### Configure the security group

    1. In your **Amazon RDS** > **Databases** list, click the PostgreSQL instance you want to connect to Prequel.
    2. In the database page, in the **Connectivity & security** tab, make note of the **Endpoint** and the **Port** number.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/aurora-reader-access.png "reader access.png")
    </Frame>

    3. In the **Security** section, ensure that set the **Publicly accessible** setting is set to **Yes** to ensure that the destination is accessible from outside your VPC. Note that it is still only accessible through whitelisted IPs at this point.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/aurora-reader-publicly-accessible-yes.png "reader publicly accessible yes.png")
    </Frame>

    4. Click one of the VPC security groups (usually `default`). Note: VPC groups are permissive (vs. restrictive) and for instances with multiple VPC security groups, only one needs to be configured with the new inbound rule.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/postgres-vpc-security-groups.png "vpc groups .png")
    </Frame>

    5. In the **Security Groups** section, select the **Inbound rules** tab.
    6. Click **Edit inbound rules** and then click **Add rule**.
    7. Edit the newly created rule of type **Custom TCP** with the **Port range** noted in the first step (usually `5432`) and a `Custom` **Source** value that includes all of the service IPs. Note: you will need to add `/32` to the end of each IP (CIDR notation).
    8. Click **Save rules**.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/postgres-add-rule.png "add rule.png")
    </Frame>

    ### Configure network ACLs (access control list)

    For database instances in a VCP

    1. In your RDS dashboard, select the PostgreSQL instance.
    2. Click the link to the instance's VPC.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/aurora-reader-vpc.png "reader vpc.png")
    </Frame>

    3. In the VPC menu, click the **VPC ID**.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/postgres-vpc-id.png "vpc id.png")
    </Frame>

    4. In the **Details** section, click on the link under **Main network ACL**.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/postgres-main-network-acl-id.png "reader main network acl.png")
    </Frame>

    5. Click on the network ACL ID.

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/postgres-network-acl-id.png "network acl id.png")
    </Frame>

    #### Edit the inbound rules

    6. Click on the **Inbound rules** tab, and check if there is an existing rule with a Source of `0.0.0.0/0` set to `Allow`. (This is a default rule created by AWS. If this rule already exists, skip to **Edit outbound rules**.)

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/postgres-inbound-rules.png "inbound rules.png")
    </Frame>

    7. Create the inbound rule (if it doesn't exist). Click **Edit inbound rules** and either **Add new rule** or edit an existing rule to allow access to the **port number** of your database instance (usually `5432`) from the Prequel static IP. Click **Save changes**.

    #### Edit the outbound rules

    8. In the ACL menu, select the **Outbound rules** tab, and check if there is an existing rule with a Destination of `0.0.0.0/0` set to `Allow`. (This is a default rule created by AWS. If this rule already exists, skip to the next step.)

    <Frame>
      ![](https://storage.googleapis.com/prequel_docs/images/postgres-outbound-rules.png "outbound rules.png")
    </Frame>

    9. Create the outbound rule (if it doesn't exist). Click **Edit outbound rules** and edit the rules to allow outbound traffic to ports 1024-65535 for **Destination** `0.0.0.0/0`.
  </Step>

  <Step title="Create a read-only user">
    1. Open a connection to your Amazon RDS PostgreSQL database.
    2. Create a user for Prequel by executing the following SQL command.

    ```sql title="Create read-only user" icon="database" theme={null}
    CREATE USER <username> PASSWORD '<some-password>' NOSUPERUSER NOCREATEDB NOCREATEROLE;;
    ```

    Grant user read-only access to all relevant schemas. Though `public` is the default schema, replace with the schema name if needed.

    ```sql title="Grant schema access" icon="database" theme={null}
    GRANT USAGE ON SCHEMA "public" TO <username>;
    GRANT SELECT ON ALL TABLES IN SCHEMA "public" TO <username>;
    ```

    4. Repeat the step above for all schemas with data that needs to be synced. (Replace "public" with the correct schema name)
       a. **Note**: if you prefer, you may instead grant usage only the desired tables.

    ```sql title="Grant per-table access" icon="database" expandable theme={null}
    GRANT USAGE ON SCHEMA "public" TO <username>;
    GRANT SELECT ON <table_name_a> TO <username>;
    GRANT SELECT ON <table_name_b> TO <username>;
    GRANT SELECT ON <table_name_c> TO <username>;
    ```
  </Step>

  <Step title="Add source to Prequel">
    Use the [cURL request](/export/api-reference/sources/create-source) to add the configured source to Prequel.

    1. The **name** is a descriptive name of the source for your purposes (i.e., a description)
    2. The  **host** \[for example, `6.7.8.9` or `your-db.sd8jekhrlkhla.us-east-1.rds.amazonaws.com`]
    3. The **port** \[most likely `5432`]
    4. The **vendor**: `postgres`
    5. The **database**, from Step 2.`postgres` by default, or whatever database you prefer to use
    6. The **username** from Step 3
    7. The **password** from Step 3
  </Step>
</Steps>