Tableau Bridge FAQ

Find answers to commonly asked questions about Tableau Bridge.

Bridge Basics

What is Tableau Bridge?

Tableau Bridge is a proxy client that runs on a machine in your network and is used to connect your private network data to Tableau Cloud. Bridge is installed behind your organization's firewall. It can access on-premises and virtual cloud (isolated private cloud hosted within a public cloud) data through an established and secure outbound connection from your data to Tableau Cloud.

See Use Tableau Bridge.

What is Tableau Bridge used for?

If some or all of your data is on premise or in a virtual cloud that is behind the firewall, you can use Bridge to securely access and connect data to Tableau Cloud. The data can range from .csv files on your private network or stored in a data warehouse.

Bridge also keeps your data current. If you have a viz that needs to be refreshed as the data is modified, Bridge can keep data fresh in Tableau Cloud, either by automatically refreshing extracts, or by passing live queries to your on-premise data sources.

What's the cost of Tableau Bridge?

Tableau Bridge is a free, supported client that is used in conjunction with Tableau Cloud.

What are the supported OS systems and minimum hardware requirements for Tableau Bridge?

Currently, Bridge is supported on Windows 64-bit machines. For information about minimum hardware requirements, see Recommended software and hardware.

Do we need a separate Tableau Bridge installation for each Tableau Cloud site?

Yes. Tableau Bridge can only connect to one Tableau Cloud site at any given time. Tableau recommends installing the Bridge client on a dedicated virtual machine behind your firewall so that it does not compete with resources from other applications. Only one client can be installed on a machine. For more information, see Install Bridge.

Can I use Bridge even if I can connect to the data directly from Tableau Cloud?

You don’t need to use Bridge if Tableau Cloud can access the data directly. Bridge acts as a proxy, and depending on throughput, it’s possible that Bridge will be slower than a direct connection to the data source.

How do I install Bridge?

Download the installer from the Downloads page and follow the Install Bridge instructions.

See Recommended software and hardware.


How does Bridge keep data secure?

All traffic between Bridge and Tableau Cloud is secured using TLS. Bridge makes outbound connections only; all communication is initiated from behind a firewall using ports 80 and 443. Data in transit, to and from Tableau Bridge, is encrypted. Bridge uses the following protocols depending on the connection type used by the content:

  • For live connections and extract refreshes that use Online schedules, secure WebSockets (wss://).
  • For extract refreshes that use Bridge (legacy) schedules, HTTP Secure (https://).

To ensure that your data is transmitted to Tableau Cloud only, you can implement domain-based filtering on outbound connections (forward proxy filtering) from the Bridge client.

See Bridge Security.

Are there other ways to secure data?

You can use whitelisting to identify sites that are allowed access to your data and exclude sites that aren’t included in the list. Some data sources are always “cloud-native”, such as Amazon Athena, Redshift, Azure SQL Database, Google Cloud SQL. In these cases, Tableau Cloud expects to connect directly through IP whitelisting by default when the native connector is used.

It’s possible to configure Tableau Bridge to work with “cloud-native” data sources if the data is isolated from the Internet in a private subnet (and therefore IP whitelisting isn’t an option).

What permissions do I need?

  • You need access to the Tableau Cloud account used to log in to Tableau Bridge client and the site associated with the data.
  • To assign the Bridge client to a pool (either default pool or a named pool), you need either Site Administrator Creator or Site Administrator Explorer role.
  • To run refresh extracts:
    • For Online Schedules, the user needs Creator or Explorer (can publish). The Bridge client must be set up correctly by site admin.
    • For Legacy Schedules, because the schedule needs to be assigned to a particular Bridge client, the user either needs to be the owner of that Bridge client (if the customer only has Creator or Explorer (can publish) permission) or be a site administrator.
  • The Creator or Explorer (can publish) role and the Data Management license is required to publish virtual connections and refresh data with Bridge.
  • The Windows account that is running Bridge needs to have access to all data sources that are being connected to.
  • The Windows user account must be a member of the local admin group to run the client in service mode. If the user isn’t a local admin, they can run the Bridge client in Application mode, but they must remain logged in to the Windows machine.

What credentials are used when accessing data?

For extracts with Legacy Schedules, access information must be embedded in the Bridge client. The Bridge client owner must log in to the Windows machine and manually enter the credentials. This process results in database credentials being stored on the computer using Windows credentials manager.

For Online Schedules, the credentials can be embedded for the published data source in Tableau Cloud.

For data sources accessed via Windows Authentication, there are no credentials to embed, but the Windows account that Bridge is running under must have access to the source database.

Tableau Bridge supports OAuth when connecting to private data that uses OAuth and public data that uses OAuth when it’s joined to private data. Both saved credentials or managed keychain connectors are supported by OAuth: The type of functionality is dependent on the connector that you use. Bridge supports both live and extract refreshes for data sources with OAuth authentication.

Tableau Bridge doesn't support connections that use Kerberos authentication.

What are the multi-factor authentication requirements?

If multi-factor authentication (MFA) is enabled with Tableau authentication, Bridge clients must be running Bridge version 2021.1 and later. The connected client option must be enabled for the site to allow Bridge clients to run unattended and, if enabled, support multi-factor authentication with Tableau authentication. If connected clients are disabled for the site, Bridge can only support Tableau username and password authentication.

See Access Sites from Connected Clients.


What connection types does Bridge support?

Extract connection: When data sources or virtual connections use extracts, to connect to private network data, Bridge can be used to perform scheduled refreshes of those extracts. See Additional requirements for extract connections.

Live connection: Bridge supports data sources or virtual connections with live connections to a private network. If the content owner publishes a data source or virtual connection that uses a live connection to data that Tableau Cloud detects that it can't reach directly, live queries are used to keep the content fresh. See Additional requirements for live connections.

The type of data that Bridge can support falls into one of the following categories:

  • Relational data
  • File data, including Excel, text, and statistical (.sas7bdat) files.
  • Private cloud data, including Amazon Redshift, Teradata, and Snowflake. For more information, see .Use Bridge for Private Cloud Data.
  • (Limited) JDBC data.
  • (Limited) ODBC data.
  • (Limited) web data connector (WDC) data if the data can be accessed by entering a standard user name and password.
  • Data used in a multi-connection data source (i.e., data sources that contain a cross-database join), when all connectors are supported by Bridge. For more information, see Refreshing Cross-Database Joined Data Sources on Tableau Bridge in the Tableau Knowledge Base.

What connection types does Bridge not support?

Unsupported connectors:

  • Microsoft Analysis Services
  • Microsoft PowerPivot
  • Oracle Essbase
  • SAP NetWeaver Business Warehouse
  • Connectors (.taco) built with the Tableau Connector SDK and connectors available through Tableau Exchange.

Unsupported connection types:

  • Live connections to file-based data (excel, .csv, etc)
  • Live connections to Google Cloud SQL, OData, Progress OpenEdge, and Tableau extracts
  • All connections to cube-based data
  • Snowflake when used with virtual connections
  • Data sources embedded directly in workbooks. See Connectivity with Bridge.

How does Bridge support Web Data Connector (WDC) data source types?

Bridge has limited support for WDC data source types. Only WDCs with basic authentication are supported. You must be able access the data by entering a standard user name and password.

Custom authentication WDCs are not supported for refresh in Bridge. For more information about different WDC authentication types, see WDC Authentication.

Can Bridge be set up to run continuously?

Bridge can run in two different modes: Application mode and Service mode. Tableau recommends that you run Bridge in Service mode. If your client is set up to run in Service mode, you don’t need to be logged on to the computer running the client, but your computer must be on.

By default, the client runs as an Application. This means the Windows user must be logged on to the computer where the client is running in order for scheduled refreshes to complete. After sign-in, the Bridge client opens from the system tray.

See Application versus Service mode.

Can I connect to a data source embedded in a workbook?

Bridge can only be used against individually published data sources, and it can't be used against data sources embedded in a workbook. The workaround is to download the embedded data source and republish them as a published data source. For information about how to publish the data source individually and setup the schedule, see Set up a schedule.

Load Balancing and Pooling

How can I load balance data refreshes with Bridge?

You can configure a pool to distribute data refresh tasks among the available Bridge clients. Pools map to domains, allowing you to dedicate pools to keeping specific data fresh and maintaining security by restricting access to protected domains in your private network.

See Configure the Bridge Client Pool.

Scaling and Deployment

How can I scale with Bridge?

As a starting point, we recommend initially configuring at least two Tableau Bridge clients for redundancy, and in many Bridge deployments, more than one Bridge client is necessary to support data freshness needs.

Bridge can support up to 10 concurrent extract refreshes. Determine how many extracts are necessary in the available time window. In many situations, there are several concentrated time blocks when extracts need to occur. You will need enough Bridge clients to complete all required extract refreshes this time window. For example, if you have 7 hours of extract refreshes to run, and a 4-hour window to run them in, then 2 Bridge clients would be a reasonable number to use.

Bridge supports 16 live queries per client. Determine the number of concurrent users. Site admins can monitor traffic to data sources with live connections using a built-in administrative view in Tableau Cloud. This gives a high-level view into how often particular data sources with live connections are being accessed.

As part of your pilot and rollout you should monitor usage over time.

See Plan Your Bridge Deployment.


How can I monitor Bridge?

You can use Traffic to Bridge Connected Data Sources admin view to see usage of data sources with live connections. This view can help you determine which data sources are most heavily used and those that are used less often.

The Bridge Extracts admin view captures the last 30-days' worth of refresh activity by Tableau Bridge. Only jobs that have been successfully started by the Bridge client have a record in the Bridge Extract admin view.

Thanks for your feedback!