Skip to main content
Documentation
Troubleshooting
Feature Requests Status

SQL Server RDS Setup Guide

Edit on GitHub
  • Updated
Fivetran System User Fivetranner

Follow these instructions to replicate your Amazon SQL Server RDS database to your destination via Fivetran.

Prerequisiteslink

To connect your SQL Server database to Fivetran, you need:

  • SQL Server version 2012 or above
  • Your database host’s IP (e.g., 1.2.3.4) or domain (e.g., your.server.com)
  • Your database’s port (usually 1433)

Choose a connection method link

Decide whether to connect your SQL Server database directly or using an SSH tunnel.

Connect directly (TLS required)

IMPORTANT: You must have TLS enabled on your database to connect directly to Fivetran.

Fivetran connects directly to your database instance. This is the simplest and most secure connection method.

To connect directly, create a security rule to allow access to Fivetran’s IP.

Connect using SSH

Fivetran connects to a separate server in your network that provides an SSH tunnel to your database. You must connect through SSH if your database is in an inaccessible subnet.

To connect using SSH, configure your VPC Security Groups and Network Access Control Lists (ACLs) to allow incoming connections to your SQL server host and port (usually 1433) from your SSH tunnel server’s IP address.

Enable accesslink

Configure security grouplink

Note: These instructions assume that your instance is in a VPC.

  1. Click on your SQL instance to expand the view, then go to the Configuration Details tab.

    rds-expand-the-instance

  2. A panel of details for your read replica appears. Verify that the Publicly Accessible value is Yes if you choose to connect directly. You do not have to make your database publicly accessible if you choose to connect using SSH.

    rds-publicly-accessible-sql_server

  3. Write down the read instance’s port number. You will need this later.

    rds-port-number

  4. Click the link to the read instance’s Security Group.

    rds-security-group

  5. In the security group panel, select the Inbound tab.

    rds-select-inbound-tab

  6. Click Edit.

    rds-inbound-click-edit

  7. Click Add Rule. This creates a new Custom TCP Rule at the bottom of the list with a blank space for a Port Range and a Source IP address.

    rds-inbound-click-add-rule

  8. Enter your Port Range and Source IP address values.

    • In the Port Range field, enter your instance’s port number that you wrote down in Step 3 of this section (usually 1433).
    • In the Custom IP field, enter Fivetran’s IP if you are connecting directly or {your-ssh-tunnel-server-ip-address}/32 if you are connecting through an SSH tunnel.

    rds-inbound-add-rule

  9. Click Save.

    rds-inbound-click-save

Configure Network ACLslink

  1. Return to the RDS Dashboard and click on your instance.

    rds-expand-the-instance

  2. Click the link to the instance’s VPC.

    rds-click-vpc

  3. Select the VPC.

    rds-select-vpc

  4. In the Summary tab, click the Network ACL link.

    rds-click-network-acl

You will see tabs for Inbound Rules and Outbound Rules. You need to edit both.

Edit inbound rules

  1. Select Inbound Rules.

    rds-click-inbound-rules

  2. If you have a default VPC that was automatically created by AWS, the settings already allow all incoming traffic. To verify that the settings allow incoming traffic, confirm that the Source value is 0.0.0.0/0 and that the ALLOW entry is listed above the DENY entry.

    rds-all-are-allowed

  3. If your inbound rules don’t include an ALL - 0.0.0.0/0 - ALLOW entry, edit the rules to allow {your-ssh-tunnel-server-ip-address}/32 to access the port number of your read replica (usually 1433). For additional help, see AWS’s Network ACLs documentation.

Edit outbound rules

  1. Select Outbound Rules.

    rds-click-outbound-rules

  2. If your outbound rules don’t include an ALL - 0.0.0.0/0 - ALLOW entry, edit the rules to allow outbound traffic to all ports 1024-65535 for destination {your-ssh-tunnel-ip-address}/32.

Enter host and port in setup formlink

In your Fivetran setup form, enter your host and port.

  • For the Host, enter the URL from the Endpoint field in RDS dashboard, without the port.

  • For the Port, enter the port from the Endpoint field in RDS dashboard (1433 is the default).

    rds-get-endpoint

Create userlink

  1. Connect to your SQL Server database as an admin user.

  2. Execute the following SQL commands to create a user for Fivetran. Replace <database> with the name of your database, <username> with the username of your choice, and <password> with a password of your choice:

USE [<database>];
CREATE LOGIN <username> WITH PASSWORD = '<password>';
CREATE USER <username> FOR LOGIN <username>;

Grant user permissionslink

Once the Fivetran user is created, grant it SELECT permission for the set of databases, schemas, tables, or specific columns you would like Fivetran to sync. You can grant access to everything in a given database:

GRANT SELECT on DATABASE::<database> to <username>;

or all tables in a given schema:

GRANT SELECT on SCHEMA::<schema> to <username>;

or a specific table:

GRANT SELECT ON [<schema>].[<table>] TO <username>;

or a set of specific columns in a table:

GRANT SELECT ON [<schema>].[<table>] ([<column 1>], [<column 2>], ...) TO <username>;

Enter user, password, and database in setup formlink

In your Fivetran setup form, enter your user, password, and database name.

  • For the User, enter the username you created.
  • For the Password, enter the password you set when you created the user.
  • For the Database, enter the database you want to replicate from.

Enable incremental updateslink

We use one of SQL Server’s two built-in tracking mechanisms for incremental updates: change tracking (CT) and change data capture (CDC). When enabled, both CT and CDC keep a record of the table rows that have changed in a certain window of time (the default window is the most recent 2 days). These mechanisms let Fivetran copy only the rows that have changed since the last data sync so we don’t have to copy the whole table every time.

NOTE: You cannot enable CT or CDC on a read replica. If you enable CDC on your primary database, it applies to your read replica. However, if you enable CT on your primary database, it does not apply to your read replica.

Choose to enable either change tracking or change data capture. To learn more about CT and CDC, see our updating data documentation.

Change trackinglink

  1. First, enable change tracking at the database level:

    ALTER DATABASE [<database>] SET CHANGE_TRACKING = ON;

  2. Next, enable it for each table you want to integrate:

    ALTER TABLE [<schema>].[<table>] ENABLE CHANGE_TRACKING;

  3. Grant the Fivetran user VIEW CHANGE TRACKING permission for each of the tables that have change tracking enabled:

    GRANT VIEW CHANGE TRACKING ON [<schema>].[<table>] TO <username>;

You must enable change tracking before you continue.

Change data capturelink

  1. Enable change data capture at the database level:

    EXEC msdb.dbo.rds_cdc_enable_db [<database>];

  2. Enable change data capture for each table you want to integrate:

    EXEC sys.sp_cdc_enable_table  
@source_schema = [<schema>],
@source_name   = [<table>],
@role_name     = [<username>];

NOTE: Fivetran only supports tables with a single CDC capture instance. Our syncs only include tables and columns that are present in a CDC instance. If you add new tables or columns, you must create a new CDC instance that includes them and delete the old instance.

Choose schema prefixlink

Each database from your source will be mapped to a schema in the destination by adding a prefix to the source database name. For example, if your source database names are “foo” and “bar” and if you choose the prefix “source1”, then you will get schemas “source1_foo” and “source1_bar” in the destination.

Setup testslink

Fivetran performs the following tests to ensure that we can connect to your SQL Server RDS database and that it is properly configured:

  • The Connecting to SSH Tunnel Test validates the SSH tunnel details you provided in the setup form. It then checks that we can connect to your database using the SSH Tunnel. (We skip this test if you aren’t connecting using SSH.)
  • The Connecting to Host Test validates the database credentials you provided in the setup form. It then verifies that the database host is not private and checks that we can connect to the host.
  • The Validating Certificate Test generates a pop-up window where you must choose which certificate you want Fivetran to use. It then validates that certificate and checks that we can connect to your database using TLS. (We skip this test if you aren’t connecting directly.)
  • The Connecting to Database Test checks that we can access your database.
  • The Checking Access to Schema Test checks that we have the correct permissions to access the schemas in your database. It then verifies that your database contains at least one table.
  • The Validating Replication Config Test verifies that your database has an incremental update mechanism enabled (either CDC or CT).

NOTE: The tests may take a few minutes to finish running.

Related Contentlink

description Connector Overview

account_tree Schema Information

assignment Release Notes

settings API Connector Configuration

home Documentation Home

Related articles

Didn’t find what you need?

Contact support