Azure Database for PostgreSQL Setup Guide

Connect directly

Fivetran connects directly to your database instance. This is the simplest method.

If you connect directly, you will create a rule in a security group that allows Fivetran access to your database instance.

Connect using SSH

Fivetran connects to a separate server in your network that provides an SSH tunnel to your database. You must connect through SSH if your database is in an inaccessible subnet.

Before you proceed to the next step, you must follow our SSH connection instructions.

Azure Private Link allows Virtual Networks (VNets) and Azure-hosted or on-premises services to communicate with one another without exposing traffic to the public internet. Learn more in Microsoft's Azure Private Link documentation.

Follow our Azure PrivateLink setup guide to configure Private Link for your database.

Fivetran connects to your database through the Proxy Agent, providing secure communication between Fivetran processes and your database host. The Proxy Agent is installed in your network and creates an outbound network connection to the Fivetran-managed SaaS.

To learn more about the Proxy Agent, how to install it, and how to configure it, see our Proxy Agent documentation.

1. Follow the instructions in the Register an application with the Microsoft identity platform documentation register a new application.

   

2. Follow the instructions in the Microsoft Add credentials documentation to add a credential with a client secret. Store the generated client secret in a secure place, because you cannot access this value later.

3. 

4. In the Azure Database for PostgreSQL flexible server, navigate to the Authentication section and ensure that one of the following options is selected:

   • Microsoft Entra authentication only
   • PostgreSQL and Microsoft Entra authentication

   

5. Add a Microsoft Entra Admin if an admin is not already present.

6. Connect to the postgres database within your Azure Database for PostgreSQL flexible server using the Microsoft Entra Admin's credentials.

7. Follow the instructions in the Manage Microsoft Entra roles in Azure Database for PostgreSQL - Flexible Server documentation to add the service principal as user in PostgreSQL. Once you run the command SELECT * FROM pgaadauth_create_principal('fivetran_user', false, false);, you can now use the service principal fivetran_user as a user.

8. Fill in the following details in the corresponding fields in the connection setup form:

   • User: Registered App Display Name
   • Password: Client Secret Value
   • Entra App ID: Registered App (client) ID
   • Azure Tenant ID: Directory (tenant) ID

If you want to limit Fivetran's access to your data, grant the Fivetran user access to only the tables that you would like to sync. You need to individually grant access for each table that you want to sync. It is not possible to achieve exclusion by granting access to all tables and then revoking access for a subset of tables.

1. Ensure that the Fivetran user has access to the schema that contains your table(s).

   GRANT USAGE ON SCHEMA "some_schema" TO <username>;
   

2. Revoke any previously granted permission to all tables in that schema.

   ALTER DEFAULT PRIVILEGES IN SCHEMA "some_schema" REVOKE SELECT ON TABLES FROM <username>;
   REVOKE SELECT ON ALL TABLES IN SCHEMA "some_schema" FROM <username>;
   

3. Repeat the following command for each table you want Fivetran to sync.

   GRANT SELECT ON "some_schema"."some_table" TO <username>;
   

4. By default, any tables that you create in the future will be excluded from the Fivetran user's access. To grant access to new tables, run the following command.

   ALTER DEFAULT PRIVILEGES IN SCHEMA "some_schema" GRANT SELECT ON TABLES TO <username>;
   

You can also grant the Fivetran user access to only certain columns within a table. You need to individually grant access for each column that you want to sync.

1. Ensure that you have revoked any previously granted permission to read all columns in the table.

   REVOKE SELECT ON "some_schema"."some_table" FROM <username>;
   

2. Grant permission to the specific columns you want to sync (for example, some_column and other_column).

   If you chose Query-Based as your incremental sync method, you must grant us access to the hidden system columns xmin and ctid. This speeds up your initial sync and enables capturing deletes.

   GRANT SELECT (xmin, ctid, some_column, other_column) ON "some_schema"."some_table" TO <username>;
   

Once you restrict access to columns within a table, the Fivetran user will not have access to any new columns added to that table in the future. To grant access to new columns, you must rerun the command above.

Logical replication relies on the logical decoding of the PostgreSQL write-ahead log (WAL). Fivetran reads the WAL using the pgoutput plugin to detect any new or changed data. This plugin replicates data from your custom publication without needing additional libraries. Learn more in our logical replication documentation.

We support logical replication of read replicas only if you are using PostgreSQL version 16 or higher. If your PostgreSQL version is below 16, you must connect to your primary database.

To enable logical replication, follow these steps:

1. Ensure that your server has ample free space for the logs. Logs that Fivetran has already processed are released. However, logs are not released if replication stops (for example, if we lose access). In this case, logs may accumulate on your server and consume additional storage. The amount of additional disk space consumed by these logs is proportional to the amount of changes committed on the server. If a lost connection can't be resumed quickly enough, you can drop the replication slot, which releases the storage of unconsumed logs. You would then need to do a full re-sync of your connection to reset the cursor in the replication slot.

2. In your Azure portal, do the following:

   i. Set the wal_level server parameter to LOGICAL, then click Save.

   

   ii. Click Yes to restart the server to apply the change.

   

3. Use a PostgreSQL console to log in to your primary database as an admin user.

4. Create a publication for your tables. If you want, you can create a publication for only certain tables so that you add or remove tables from the publication later on. Only changes from tables in the publication are replicated to Fivetran. Each database can have multiple distinct publications. You must have CREATE privileges or above to run this command.

   The publication name fivetran_pub quoted throughout this guide is used purely as an example. The actual publication name should be unique for every database and cannot start with a number.

   CREATE PUBLICATION fivetran_pub FOR TABLE table2, table4, table8;
   

   To add or remove a table from a publication, run the following command. You must have ownership rights over the table(s).

   ALTER PUBLICATION fivetran_pub ADD/DROP TABLE table_name;
   

   Alternatively, you can create a publication for all of your tables. However, you cannot remove any table from this publication later on. You must have superuser privileges to run this command.

    CREATE PUBLICATION fivetran_pub FOR ALL TABLES;
   

   (Optional) You can choose which operations to include in the publication. For example, the following publication includes only INSERT and UPDATE operations.

   CREATE PUBLICATION insert_only_pub FOR TABLE table1 WITH (publish = 'INSERT, UPDATE');
   

   To add partitioned tables for PostgreSQL version 13 or later, run the following command to enable publish_via_partition_root.

   CREATE PUBLICATION fivetran_pub FOR ALL TABLES WITH (publish_via_partition_root=true);
   

5. Create a logical replication slot for the database you want to sync by running the following command. You must use the standard output plugin pgoutput. Ensure that you are connected to the correct database when you create your replication slot, or your connection will not be able to find the slot.

   To create replication slot, the admin user has to have REPLICATION permission:

   ALTER ROLE <admin_role> WITH REPLICATION;
   

   You must create a unique replication slot for every connection that uses the same PostgreSQL cluster. Replication slot names cannot start with a number. (The replication slot name fivetran_pgoutput_slot quoted throughout this guide is used purely as an example.)

   You need to create the replication slot after you have created the publication.

   SELECT pg_create_logical_replication_slot('fivetran_pgoutput_slot', 'pgoutput');
   

   If your PostgreSQL server version is 16 or later and you want to sync from a standby, create the replication slot in the read replica.

6. Verify that your chosen tables are in the publication.

   SELECT * FROM pg_publication_tables;
   

7. Grant the Fivetran user permission to read the replication slot.

   ALTER ROLE fivetran WITH REPLICATION;
   

8. Log in as the Fivetran user.

9. Verify that the Fivetran user can read the replication slot by running the following command. Replace fivetran_pgoutput_slot with your replication slot name and fivetran_pub with the publication name.

   SELECT count(*) FROM pg_logical_slot_peek_binary_changes('fivetran_pgoutput_slot', null, null, 'proto_version', '1', 'publication_names', 'fivetran_pub');
   

   If the query succeeds, then permissions are sufficient.

The Query-Based method relies on the hidden xmin and ctid system columns that are present in all PostgreSQL tables. With Query-Based replication, Fivetran must scan every table in full to detect updated data. The need for a full table scan can lead to significant processing overhead, especially for large tables. Learn more in our Query-Based documentation.

You do not need any additional configuration for the Query-Based method.

For the Query-Based method, Fivetran performs a full table scan to detect updated data, which can cause significant processing overhead, especially for large tables. Filtering frozen pages helps reduce this overhead and makes incremental syncs faster.

(Optional) To filter frozen pages, run the following commands on your primary database as a superuser. Replace the <username> placeholder with the Fivetran database user.

CREATE EXTENSION pg_visibility;

CREATE SCHEMA fivetran;

CREATE OR REPLACE FUNCTION fivetran.get_all_pages(v_table_name character varying)

RETURNS TABLE (
    pagenumber integer,
    all_visible_yn boolean,
    all_frozen_yn boolean)
LANGUAGE plpgsql
SECURITY definer

AS $function$
declare
begin
    RETURN QUERY
    SELECT blkno::int as pageNumber,
           all_visible as all_visible_yn,
           all_frozen as all_frozen_yn
    FROM pg_visibility_map($1::regclass);
END;
$function$;

GRANT USAGE ON SCHEMA fivetran TO <username>;

GRANT EXECUTE ON FUNCTION fivetran.get_all_pages TO <username>;

Fivetran Teleport Sync is a proprietary incremental sync method that can capture deletes without requiring additional setup beyond a read-only SQL connection. Updates are captured using the XMIN system column. Learn more in our Fivetran Teleport Sync documentation.

If you are trying to connect with a standby or read replica, run the following SQL command on your primary database as the Fivetran user:

CREATE AGGREGATE BIT_XOR(IN v bigint) (SFUNC = int8xor, STYPE = bigint);

If you are not connecting with a read replica, you do not need to do any additional configuration. The aggregate that the Teleport mechanism will later use is automatically created for you.