Using a different cloud? See GCP Cloud SQL or Azure SQL.
S3 + Lambda
Self-service setup with Terraform
Tunnel Agent
Lightweight agent in your VPC
AWS PrivateLink
Private endpoint, no public internet
VPC Peering
Direct network link between VPCs
Site-to-Site VPN
Encrypted tunnel over the internet
Direct Connect
Dedicated physical connection
Option 1: Export to S3 via Lambda
RecommendedSelf-service
A Lambda function runs inside your VPC on a schedule, queries RDS, converts results to Parquet, and writes them to S3. BonData reads from S3 via its native S3 integration.
- No firewall changes - Lambda runs inside your VPC
- Zero DB performance impact - queries run on your schedule
- Database credentials never leave your AWS account
- Fully self-service - no coordination with BonData needed
Deploy with Terraform
Create abondata-rds-export.tf file and fill in the variables at the top. This provisions the S3 bucket, Lambda function, IAM role, EventBridge schedule, and networking in one apply.
Lambda layer: The function requires Then add the layer ARN to the
psycopg2 and pyarrow. Build a layer or use a public one:layers list in the Terraform file.Deploy
Connect S3 to BonData
Once data is flowing, connect BonData to the bucket using the S3 integration:- In BonData, go to Integrations → Add Integration → Amazon S3
- Enter your bucket name and the prefix (default:
rds-exports) - Provide IAM credentials with read-only access to the bucket
Option 2: BonData Tunnel Agent
A lightweight Docker container that runs inside your VPC and creates a secure outbound tunnel to BonData. Once running, BonData can query your database directly through the encrypted connection - no inbound firewall rules, no VPN, no public exposure.Get started with the Tunnel Agent
Contact our team to provision your tunnel token and walk through deployment for your environment.
Option 3: AWS PrivateLink
AWS PrivateLink creates a private endpoint in your VPC that routes traffic to BonData without it ever crossing the public internet. Traffic stays entirely within the AWS network. Best for: Organizations with strict compliance requirements (HIPAA, SOC 2) that prohibit any data traversal over the public internet, even when encrypted. PrivateLink provides the strongest network-level isolation without the complexity of VPC Peering or VPN. How it works:- BonData exposes a VPC Endpoint Service in its AWS account
- You create an Interface VPC Endpoint in your VPC pointing to that service
- Your RDS traffic flows privately through the AWS backbone - no internet gateway, no NAT, no public IPs
Set up PrivateLink
Contact our team to get BonData’s endpoint service name and configure PrivateLink for your account.
Option 4: VPC Peering
VPC Peering creates a direct network route between your VPC and BonData’s VPC, allowing private IP communication as if they were on the same network. Best for: Teams that want a simple, low-cost network link with low latency. VPC Peering has no per-hour charge (you only pay for data transfer) and supports full-bandwidth communication between VPCs. How it works:- A peering connection is established between your VPC and BonData’s VPC
- Route tables on both sides are updated to direct traffic through the peering link
- Your RDS security group is updated to allow inbound connections from BonData’s CIDR range
VPC Peering requires both VPCs to be in the same AWS region or use inter-region peering. CIDR ranges must not overlap.
Set up VPC Peering
Contact our team to exchange VPC details and coordinate the peering connection.
Option 5: Site-to-Site VPN
An AWS Site-to-Site VPN creates an encrypted IPsec tunnel over the public internet between your network and BonData’s infrastructure. Best for: Organizations that already have VPN infrastructure or need to connect from on-premises networks (not just AWS). Also useful when VPC Peering isn’t possible due to overlapping CIDR ranges. How it works:- A Virtual Private Gateway is attached to your VPC
- An IPsec tunnel is established between your gateway and BonData’s endpoint
- All traffic is encrypted and routed through the tunnel
- Supports both static and dynamic (BGP) routing
Set up a VPN connection
Contact our team to exchange gateway details and configure the VPN tunnel.
Option 6: AWS Direct Connect
AWS Direct Connect provides a dedicated physical network connection (1 Gbps or 10 Gbps) between your infrastructure and BonData, bypassing the public internet entirely. Best for: Enterprise environments with very high data volumes, strict latency requirements, or regulatory mandates for dedicated connectivity. Direct Connect provides the most consistent throughput and lowest latency of any option. How it works:- A physical cross-connect is established at an AWS Direct Connect location
- A dedicated Virtual Interface (VIF) routes traffic between your network and BonData
- Traffic never touches the public internet - ideal for large-scale, continuous data sync
Direct Connect typically takes 2-4 weeks to provision and involves coordination between your network team, AWS, and BonData.
Set up Direct Connect
Contact our team to discuss your throughput requirements and coordinate the connection.