Tableau Bridge FAQ
Find answers to frequently asked questions about Tableau Bridge.
Bridge Basics
What is Tableau Bridge?
Tableau Bridge is a proxy client that runs on a machine in your network and is used to connect your private network data to Tableau Cloud. Bridge is installed behind your organisation's firewall. It can access on-premises and virtual cloud (isolated private cloud hosted within a public cloud) data through an established and secure outbound connection from your data to Tableau Cloud.
See Use Tableau Bridge.
What is Tableau Bridge used for?
If some or all of your data is on premise or in a virtual cloud that is behind the firewall, you can use Bridge to securely access and connect data to Tableau Cloud. The data can range from .csv files on your private network or stored in a data warehouse.
Bridge also keeps your data current. If you have a viz that must be refreshed as the data is modified, Bridge can keep data fresh in Tableau Cloud, either by automatically refreshing extracts or by passing live queries to your on-premises data sources.
What's the cost of Tableau Bridge?
Tableau Bridge is a free, supported client that is used with Tableau Cloud.
What are the supported OS systems and minimum hardware requirements for Tableau Bridge?
Bridge is supported on Windows 64-bit machines and Linux. For Bridge for Linux, you must create a customised Docker image. For information about minimum hardware requirements, see Recommended software and hardware.
Do we need a separate Tableau Bridge installation for each Tableau Cloud site?
Yes. Tableau Bridge can only connect to one Tableau Cloud site at any given time. Tableau recommends installing the Bridge client on a dedicated virtual machine behind your firewall so that it doesn’t compete with resources from other applications. Only one client can be installed on a machine. For more information, see Install Bridge.
Can I use Bridge even if I can connect to the data directly from Tableau Cloud?
You don’t need to use Bridge if Tableau Cloud can access the data directly. Bridge acts as a proxy, and depending on throughput, it’s possible that Bridge will be slower than a direct connection to the data source.
How do I install Bridge?
(Windows) Download the installer from the Downloads page and follow the Install Bridge instructions. See Recommended software and hardware.
(Linux) To use Bridge for Linux, you must create a customised Docker image, install the RPM package and then run Bridge from inside the container image.
Security
How does Bridge keep data secure?
All traffic between Bridge and Tableau Cloud is secured using TLS. Bridge makes an initial outbound connection; all communication is initiated from behind a firewall using ports 80 and 443. After the initial outbound connection, communication is bidirectional. Data in transit, to and from Tableau Bridge, is encrypted. Bridge uses the following protocols depending on the connection type used by the content:
- For live connections and extract refreshes that use Bridge refresh schedules, secure WebSockets (wss://).
- For extract refreshes that use Bridge (legacy) schedules, HTTP Secure (https://).
To ensure that your data is transmitted to Tableau Cloud only, you can implement domain-based filtering on outbound connections (forward proxy filtering) from the Bridge client.
See Bridge Security.
Are there other ways to secure data?
You can use whitelisting to identify sites that are allowed access to your data and exclude sites that aren’t included in the list. Some data sources are always “cloud-native”, such as Amazon Athena, Redshift, Azure SQL Database and Google Cloud SQL. In these cases, Tableau Cloud expects to connect directly through IP whitelisting by default when the native connector is used.
It’s possible to configure Tableau Bridge to work with “cloud-native” data sources if the data is isolated from the Internet in a private subnet (and therefore IP whitelisting isn’t an option).
What permissions do I need?
- You need access to the Tableau Cloud account used to log in to the Tableau Bridge client and the site associated with the data.
- To assign the Bridge client to a pool (either a default pool or a named pool), you need either the Site Administrator Creator or Site Administrator Explorer role.
- To run refresh extracts:
- For Bridge refresh schedules, the user needs Creator or Explorer (can publish). The Bridge client must be set up correctly by site admin.
- For Bridge legacy schedules, because the schedule must be assigned to a particular Bridge client, the user must either be the owner of that Bridge client (if the customer only has Creator or Explorer (can publish) permission) or be a site admin.
- The Creator or Explorer (can publish) role and the Data Management licence is required to publish virtual connections and refresh data with Bridge.
- (Windows) The Windows account that is running Bridge must have access to all data sources that are being connected to.
- (Windows) The Windows user account must be a member of the local admin group to run the client in service mode. If the user isn’t a local admin, they can run the Bridge client in Application mode, but they must remain logged in to the Windows machine.
What credentials are used when accessing data?
For extracts with Bridge legacy schedules, access information must be embedded in the Bridge client. The Bridge client owner must log in to the Windows machine and manually enter the credentials. This process results in database credentials being stored on the computer using the Windows credentials manager.
For Bridge refresh schedules, the credentials can be embedded for the published data source in Tableau Cloud.
For data sources accessed via Windows Authentication, there are no credentials to embed, but the Windows account that Bridge is running under must have access to the source database.
Tableau Bridge supports OAuth when connecting to private data that uses OAuth and public data that uses OAuth when it’s joined to private data. Both saved credentials or managed keychain connectors are supported by OAuth: The type of functionality depends on the connector that you use. Bridge supports both live and extract refreshes for data sources with OAuth authentication.
Tableau Bridge supports integrated Windows authentication that uses Kerberos. See Integrated Windows Authentication. However, Bridge doesn't support connections that use Kerberos as a stand-alone authentication mechanism.
What are the multi-factor authentication requirements?
If multi-factor authentication (MFA) is enabled with Tableau authentication, the connected client option must be enabled for the site to allow Bridge clients to run unattended and, if enabled, support multi-factor authentication with Tableau authentication. If connected clients are disabled for the site, Bridge can only support Tableau username and password authentication.
See Access Sites from Connected Clients.
Connections
What connection types does Bridge support?
Extract connection: When data sources or virtual connections use extracts to connect to private network data, Bridge can be used to perform scheduled refreshes of those extracts. See Additional requirements for extract connections.
Live connection: Bridge supports data sources or virtual connections with live connections to a private network. If the content owner publishes a data source or virtual connection that uses a live connection to data that Tableau Cloud detects that it can't reach directly, live queries are used to keep the content fresh. See Additional requirements for live connections.
The type of data that Bridge can support falls into one of the following categories:
- Relational data
- File data, including Excel, text and statistical (.sas7bdat) files.
- Private cloud data, including Amazon Redshift, Teradata and Snowflake. For more information, see Use Bridge for Private Cloud Data.
- (Limited) JDBC data.
- (Limited) ODBC data.
- Web Data Connector 2.0 SDK. See Keep Data Fresh.
- Data used in a multi-connection data source (that is, data sources that contain a cross-database join), when all connectors are supported by Bridge. For more information, see Refreshing Cross-Database Joined Data Sources on Tableau Bridge in the Tableau Knowledge Base.
What connection types does Bridge not support?
Unsupported connectors:
- Microsoft Analysis Services
- Microsoft PowerPivot
- Oracle Essbase
- SAP NetWeaver Business Warehouse
- Connectors (.taco) built with the Tableau Connector SDK and connectors available through Tableau Exchange.
Unsupported connection types:
- Live connections to file-based data (Excel, .csv and so on)
- Live connections to Google Cloud SQL, OData, Progress OpenEdge and Tableau extracts
- All connections to cube-based data
- Snowflake when used with virtual connections
Can Bridge be set up to run continuously?
(Windows) Bridge can run in two different modes: Application mode and Service mode. Tableau recommends that you run Bridge in Service mode. If your client is set up to run in Service mode, you don’t need to be logged on to the computer running the client, but your computer must be on. By default, the client runs as an Application. This means the Windows user must be logged in to the computer where the client is running for scheduled refreshes to complete. After sign-in, the Bridge client opens from the system tray.
(Linux) Bridge on Linux runs in the background of Linux, which is the equivalent to Service mode in Tableau Bridge on Windows.
See Application versus Service mode.
Can I connect to a data source embedded in a workbook?
Yes. Tableau Bridge supports publishing a workbook directly to Tableau Cloud using embedded data sources.
Load Balancing and Pooling
How can I load balance data refreshes with Bridge?
You can configure a pool to distribute data refresh tasks among the available Bridge clients. Pools map to domains, allowing you to dedicate pools to keeping specific data fresh and maintaining security by restricting access to protected domains in your private network.
See Configure the Bridge Client Pool.
Scaling and Deployment
How can I scale with Bridge?
As a starting point, we recommend initially configuring at least two Tableau Bridge clients for redundancy, and in many Bridge deployments, more than one Bridge client is necessary to support data freshness needs.
Bridge supports up to 10 concurrent published data source extract refreshes by default. This value can be changed based on your workload and hardware requirements. See Change the Bridge Client Settings. Determine how many published data source extracts are necessary in the available time window. In many situations, there are several concentrated time blocks when extracts must occur. You need enough Bridge clients to complete all required extract refreshes this time window. For example, if you have 7 hours of extract refreshes to run, and a 4-hour window to run them in, then 2 Bridge clients would be a reasonable number to use.
Bridge supports 16 live queries per client. Determine the number of concurrent users. Site admins can monitor traffic to data sources with live connections using a built-in administrative view in Tableau Cloud. This gives a high-level view into how often particular data sources with live connections are being accessed.
As part of your pilot and roll-out, you should monitor usage over time.
See Plan Your Bridge Deployment.
Monitoring
How can I monitor Bridge?
You can use the Traffic to Bridge Connected Data Sources admin view to see the usage of data sources with live connections. This view can help you determine which data sources are most heavily used and those that are used less often.
The Bridge Extracts admin view captures the last 30-days' worth of refresh activity by Tableau Bridge. Only jobs that have been successfully started by the Bridge client have a record in the Bridge Extract admin view.