Migrate from AWS RDS

Get the source connection string

From the AWS console: RDS → Databases → your instance → Connectivity & security. The endpoint and port are listed there; the database name, user, and password are whatever you provisioned.

postgres://master_user:password@mydb.xxxxxxxx.eu-central-1.rds.amazonaws.com:5432/dbname

RDS-specific caveats

Public reachability is the hard part. The import source must be reachable from the internet. The instance needs Publicly accessible: Yes and a security-group inbound rule for port 5432 (temporarily 0.0.0.0/0, or tighter if you can). Instances in private subnets are not reachable no matter what the flag says — check the subnet route table. Revert the exposure after the import.
IAM authentication does not work for imports. The importer authenticates with a password in the URL. If the database uses IAM auth exclusively, create a temporary password-authenticated user (CREATE USER importer WITH PASSWORD '...'; GRANT ...) for the copy.
TLS: RDS supports TLS out of the box; sslmode=require (applied automatically) is sufficient — no CA bundle gymnastics needed at that level.
Extensions: RDS allows many. Cross-check what you actually installed (\dx) against the allowlist; postgis, pglogical, aws_* extensions are not on it.
Version: RDS lags or leads depending on your maintenance policy. The target runs Postgres 17 — a source on 18+ fails the no-downgrade check.

Preflight

capydb import preflight --source-url "postgres://master_user:password@mydb....rds.amazonaws.com:5432/dbname"

A timeout here almost always means the security group / public-accessibility work above is not finished.

Import

Stop writers (or take an application maintenance window), then:

capydb import --source-url "postgres://...rds.amazonaws.com:5432/dbname" --recreate --wait

After the import

Spot-check sequences.
\dx for extensions.
ANALYZE;
Cut over env vars, deploy, watch Observability — then close the security-group hole you opened.