Skip to main content
If your RDS database is in a private VPC with no public access, there are several ways to securely connect it to BonData. The right approach depends on your security requirements, data volume, and infrastructure.
Using a different cloud? See GCP Cloud SQL or Azure SQL.

S3 + Lambda

Self-service setup with Terraform

Tunnel Agent

Lightweight agent in your VPC

AWS PrivateLink

Private endpoint, no public internet

VPC Peering

Direct network link between VPCs

Site-to-Site VPN

Encrypted tunnel over the internet

Direct Connect

Dedicated physical connection
Not sure which option is right for you? The S3 + Lambda approach works for most teams and you can set it up entirely on your own. For all other options, reach out to our team - we’ll help you evaluate your setup and find the best path forward.

Option 1: Export to S3 via Lambda

RecommendedSelf-service
A Lambda function runs inside your VPC on a schedule, queries RDS, converts results to Parquet, and writes them to S3. BonData reads from S3 via its native S3 integration.
Why this approach works best for most teams:
  • No firewall changes - Lambda runs inside your VPC
  • Zero DB performance impact - queries run on your schedule
  • Database credentials never leave your AWS account
  • Fully self-service - no coordination with BonData needed

Deploy with Terraform

Create a bondata-rds-export.tf file and fill in the variables at the top. This provisions the S3 bucket, Lambda function, IAM role, EventBridge schedule, and networking in one apply.
Store db_password in Terraform Cloud or pass it via TF_VAR_db_password to avoid committing secrets.
Lambda layer: The function requires psycopg2 and pyarrow. Build a layer or use a public one:
Then add the layer ARN to the layers list in the Terraform file.

Deploy

Connect S3 to BonData

Once data is flowing, connect BonData to the bucket using the S3 integration:
  1. In BonData, go to IntegrationsAdd IntegrationAmazon S3
  2. Enter your bucket name and the prefix (default: rds-exports)
  3. Provide IAM credentials with read-only access to the bucket

Option 2: BonData Tunnel Agent

A lightweight Docker container that runs inside your VPC and creates a secure outbound tunnel to BonData. Once running, BonData can query your database directly through the encrypted connection - no inbound firewall rules, no VPN, no public exposure.
Best for: Teams that need real-time query access with minimal infrastructure changes. The agent only requires outbound HTTPS (port 443) and can run on any Docker host - EC2, ECS, EKS, or Fargate. Database credentials stay in your environment and all traffic is encrypted end-to-end.

Get started with the Tunnel Agent

Contact our team to provision your tunnel token and walk through deployment for your environment.

AWS PrivateLink creates a private endpoint in your VPC that routes traffic to BonData without it ever crossing the public internet. Traffic stays entirely within the AWS network. Best for: Organizations with strict compliance requirements (HIPAA, SOC 2) that prohibit any data traversal over the public internet, even when encrypted. PrivateLink provides the strongest network-level isolation without the complexity of VPC Peering or VPN. How it works:
  • BonData exposes a VPC Endpoint Service in its AWS account
  • You create an Interface VPC Endpoint in your VPC pointing to that service
  • Your RDS traffic flows privately through the AWS backbone - no internet gateway, no NAT, no public IPs

Set up PrivateLink

Contact our team to get BonData’s endpoint service name and configure PrivateLink for your account.

Option 4: VPC Peering

VPC Peering creates a direct network route between your VPC and BonData’s VPC, allowing private IP communication as if they were on the same network. Best for: Teams that want a simple, low-cost network link with low latency. VPC Peering has no per-hour charge (you only pay for data transfer) and supports full-bandwidth communication between VPCs. How it works:
  • A peering connection is established between your VPC and BonData’s VPC
  • Route tables on both sides are updated to direct traffic through the peering link
  • Your RDS security group is updated to allow inbound connections from BonData’s CIDR range
VPC Peering requires both VPCs to be in the same AWS region or use inter-region peering. CIDR ranges must not overlap.

Set up VPC Peering

Contact our team to exchange VPC details and coordinate the peering connection.

Option 5: Site-to-Site VPN

An AWS Site-to-Site VPN creates an encrypted IPsec tunnel over the public internet between your network and BonData’s infrastructure. Best for: Organizations that already have VPN infrastructure or need to connect from on-premises networks (not just AWS). Also useful when VPC Peering isn’t possible due to overlapping CIDR ranges. How it works:
  • A Virtual Private Gateway is attached to your VPC
  • An IPsec tunnel is established between your gateway and BonData’s endpoint
  • All traffic is encrypted and routed through the tunnel
  • Supports both static and dynamic (BGP) routing

Set up a VPN connection

Contact our team to exchange gateway details and configure the VPN tunnel.

Option 6: AWS Direct Connect

AWS Direct Connect provides a dedicated physical network connection (1 Gbps or 10 Gbps) between your infrastructure and BonData, bypassing the public internet entirely. Best for: Enterprise environments with very high data volumes, strict latency requirements, or regulatory mandates for dedicated connectivity. Direct Connect provides the most consistent throughput and lowest latency of any option. How it works:
  • A physical cross-connect is established at an AWS Direct Connect location
  • A dedicated Virtual Interface (VIF) routes traffic between your network and BonData
  • Traffic never touches the public internet - ideal for large-scale, continuous data sync
Direct Connect typically takes 2-4 weeks to provision and involves coordination between your network team, AWS, and BonData.

Set up Direct Connect

Contact our team to discuss your throughput requirements and coordinate the connection.