Expand Data Freshness Options by Using Tableau Bridge
When data sources published to your Tableau Online site connect to underlying data that Tableau Online cannot reach directly, you can use Tableau Bridge to keep those data sources up to date. Tableau Bridge can maintain live connections to on-premises data or run scheduled extract refreshes.
The sections below tell you more about how Tableau Bridge works, when to use it or when not to use it, and its system requirements. This information is for site administrators or data source publishers who have administrator-level access to your Tableau Online site.
In this article
Beginning in version 2018.2, Tableau Bridge is software that you can install separately from Tableau Desktop, for use by any authorized user of Tableau Online. For more information, see Install Tableau Bridge.
The Tableau Bridge client is a Windows program that runs on a computer on your network. It works in conjunction with Tableau Online to keep on-premises data, which Tableau Online can't reach directly, up to date.
To keep your on-premises data up to date, you sign in to your Tableau Online site through the Tableau Bridge client. The client remains signed in to your site using one of your Tableau Online user accounts.
The Tableau Bridge client communicates with Tableau Online through an encrypted TLS connection to keep published data sources up to date. It does this by querying underlying data defined in the data source that contains a live connection, or by refreshing extracts on a schedule.
The Tableau Bridge client can operate in one of two modes: Application and Service. You can run the client in one of these modes, depending on your Windows account, the Tableau Online site settings that the client is associated with, and your general needs.
Application: When the client is set to run in Application mode, it runs as Windows application and resides in the Windows system tray. In the client, the Mode setting shows Application.
In this mode, the client can maintain live queries and scheduled refreshes of the on-premises data while the dedicated user is logged on to Windows. This is how it runs by default. If the dedicated user logs off Windows, the client cannot maintain live queries and refresh extracts on a schedule.
Service: When the client is set to run in Service mode, it runs as a Windows service. In the client, the Mode setting shows Service.
In this mode, the client runs continuously even if you log out of Windows. You must be a local administrator on your computer to use the client in service mode. A common practice is to put Tableau Bridge on a VM that is always on and running maintenance tasks.
Guidelines for using application mode versus service mode
|Extract connection with scheduled refresh||Live connection|
|Recommended for managing refreshes using a central client. For more information, see Manage extract data sources using a central Tableau Bridge client.||Recommended for load balancing live queries. For more information, see 3. (Optional) Configure additional clients to load balance live queries.|
Use Tableau Bridge with Tableau Online to keep your data fresh in the following ways:
Schedule refreshes for extracts
You can schedule refreshes of the following types of data:
On-premises data, including file-based data, such as Excel. You can also schedule refreshes of relational data that you don't want to publish with a live connection.
On-premises cloud data and some ODBC data, including Oracle data hosted on Amazon RDS and some ODBC data accessible only from within a private network and not from the public internet.
Some web data connector (WDC) data, if you access it by entering a standard user name and password. You can't use Tableau Bridge to maintain live connections to Web Data Connector data that you access through the data provider's website using OAuth.
Maintain live connections to on-premises (including cloud) data
For example, SQL Server or Oracle data.
Not supported by Tableau Bridge
There are a couple of scenarios that Tableau Bridge does not support:
- Live connections to file-based data.
- Scheduled refreshes or live connections to cube data.
Unless otherwise specified, Tableau Bridge supports live connections and extract refreshes to on-premises (accessible only from within a private network) data whose data sources use the following connectors. If you don't see a connector listed, see When to use an alternative.
Excel (extract refresh only)
Text File (extract refresh only)
Statistical file - .sas7bdat (extract refresh only)
Amazon EMR Hadoop Hive
Google Cloud SQL (extract refresh only)
HortonWorks Hadoop Hive
IBM PDA (Netezza)
MAPR Hadoop Hive
Microsoft SQL Server
Pivotal Greenplum Database
SAP HANA (extract refresh only)
SAP Sybase ASE
SAP Sybase IQ
Tableau extracts (extract refresh only)
Web Data Connector (not using OAuth)
Other Databases (JDBC)
Other Databases (ODBC)
You cannot use Tableau Bridge to maintain data freshness for cloud data that Tableau Online can reach directly and some Web Data Connector (WDC) data sources.
For cloud data, setting up schedules directly on Tableau Online is almost always a better (or in some cases the only) choice. For some WDC data sources, scheduling refreshes is not an option because of OAuth.
Cloud data that Tableau Online can reach directly
You cannot use Tableau Bridge to maintain data freshness for cloud data, accessible from the public internet, that Tableau Online can reach directly. For a list of connectors supported by Tableau Online, see Allow Direct Connections to Data Hosted on a Cloud Platform.
Extracts of other cloud data
You can sign in to some cloud data by providing a standard user name and password. An example of this is an extract that connects to a MySQL database hosted on a cloud platform.
For extracts of these cloud data sources, see Schedule Refreshes on Tableau Online.
Data you access through the provider’s web authorization page (OAuth)
Popular providers that use OAuth include Salesforce.com, Google, and WDC data sources created from QuickBooks Online, Facebook, Twitter, and other websites.
To determine whether your data requires OAuth, when you sign in to your cloud data through Tableau Desktop, if you are redirected to the data provider’s sign-in page, that provider most likely uses OAuth or similar standard and therefore cannot use Tableau Bridge.
As an alternative to Tableau Bridge, to refresh data that you connect to through OAuth:
For extracts of Salesforce and Google data, you can set up a schedule directly on Tableau Online.
For extracts of WDC data sources you created from Facebook, Twitter, or other website, you can refresh the extracts from Tableau Desktop, either by using the Refresh from Source command, or by republishing the data source. For more information, see Refresh Extracts from Tableau Desktop.
Tableau Bridge applies the following security designs:
- All communication is initiated from behind the on-premises firewall and therefore does not require you to manage additional exceptions.
- Data in transit, to and from Tableau Bridge, is encrypted.
- Database credentials are stored on the computer using Windows credentials manager.
You can find more details about Tableau Bridge security in the sections below.
Data, to and from the Tableau Bridge client, is transmitted by a TLS 1.2 connection.
To connect to Tableau Online, Tableau Online credentials are entered through the Tableau Bridge client. After 1) the credentials are entered, 2) an authorization token is returned by Tableau Online. The 3) token is stored on the computer where the client is running using the credentials manager of the Windows operating system. Tableau Bridge uses the token to perform various tasks such as downloading the refresh schedule information for an extract.
To access on-premises data, some data sources require authentication using database credentials. Depending on the connection type of the data source, the Tableau Bridge client handles database credentials in one of the following ways:
For extract connections with scheduled refreshes, if your data source requires database credentials, these credentials must be entered in the client directly. The database credentials are stored on the computer using the credentials manager of the Windows operating system. The client sends the database credentials to the database, which is also behind the on-premises firewall, at the scheduled refresh time.
For live connections, database credentials are sent at the time of the request and use a TLS 1.2 connection.
The client supports domain-based security (Active Directory) and user name/password credentials to access on-premises data.
Changes to on-premises firewall
The Tableau Bridge client requires no changes to the on-premises firewall. The client achieves this by making only outbound connections to Tableau Online. To allow outbound connections, the client uses the following protocols depending on the connection type used by the data source:
For extract connections with scheduled refreshes, HTTP Secure (https://).
For live connections, secure WebSockets (wss://).
Connections to on-premises data are initiated by the Tableau Bridge client to Tableau Online. The process by which the connection is initiated depends on the connection type of the data source.
For extract connections with scheduled refreshes, the client 1) contacts Tableau Online using a secure connection (https://) for new refresh schedules and data source (.tds) files. If 2) this information is available, at the scheduled time, 3/4) the client connects to the on-premises data using the stored credentials. The client then 5) creates an extract of the data and then 6) republishes the extract to Tableau Online using a Tableau Bridge service. The Tableau Bridge service is a part of the client that resides on Tableau Online.
For live connections, the client 1) establishes a persistent connection to a Tableau Bridge service, which is the part of the client that resides on Tableau Online, using secure WebSockets (wss://). The client then waits for a response from Tableau Online before 2) initiating a live query to the on-premises data. The client 3) passes the query to the on-premises data, then 4) returns the on-premises data using 5) the same persistent connection.
To ensure that your data is transmitted to Tableau Online only, you can implement domain-based filtering on outbound connections (forward proxy filtering) from the Tableau Bridge client.
The following list contains the partially qualified domain names that Tableau Bridge requires for outbound connections:
- *.newrelic.com, used for client application performance monitoring
- *.nr-data.net, used for client application performance monitoring
- *.cloudfront.net, a CDN used for static content
- *akamai, a CDN for some Tableau Online pods
- crash-artifacts-747369.s3.amazonaws.com, used for receiving crash dump reports
- s3-us-west-2-w.amazonaws.com, used for receiving crash dump reports
- s3-w-a.us-west-2.amazonaws.com, used for receiving crash dump reports
Tableau Bridge has a core set of requirements, as well as those that are specific to the way you want to use it.
Availability and core requirements
Tableau Bridge is available only with the 64-bit version of Windows.
The computer on which you run Tableau Bridge must be on the same Windows domain and have access to the underlying database specified in the published data source.
Both the Tableau Bridge computer and the Windows user must have access to the underlying data specified in the published data source.
The appropriate database drivers must be installed on the computer that runs Tableau Bridge.
To run the client in Service mode, the user account running Tableau Bridge must be a local administrator on the computer. The user doesn't need to be logged on to Windows, but the computer must be powered on with Windows running.
When using the client in Service mode and connecting to flat file data sources hosted on a network shared drive, it is required that the Windows service account be a domain account (not a local admin account) that has access to the network shared drive.
Additional requirements specific to maintaining live connections
To maintain live connections, you can run Tableau Bridge as a service or as an application. In addition to the core requirements:
The user signed in to Tableau Online through Tableau Bridge must have a Site Administrator site role.
This can be either Site Administrator Creator or Site Administrator Explorer.
Each Tableau Online site can have multiple clients that maintain live connections. Those clients can also be used to refresh extracts.
If you set Tableau Bridge to run as an application, live queries can only occur when the computer is powered on, and the Windows user is logged on and running Tableau Bridge.
If the computer is turned off, if you log off Windows, or if you exit Tableau Bridge, updates for the data sources you set up in Tableau Bridge will not be able to reach Tableau Online, and the published data sources can't be kept up to date.
To maintain live connections using Tableau Bridge, the database cannot be accessible from the public internet.
Additional requirements specific to refreshing extracts
To refresh extracts, you can run Tableau Bridge as a service or as an application. In addition to the core requirements:
The user signed in to Tableau Online through Tableau Bridge must have a Creator, Explorer (Can Publish), or either type of Site Administrator site role on the Tableau Online site.
If the user is not a site administrator, they must be the owner of the published data source.
If you set Tableau Bridge to run as an application, it completes refreshes only when the computer is powered on, and the Windows user is logged on and running Tableau Bridge.
If the computer is turned off, if you log off Windows, or if you exit Tableau Bridge, updates for the data sources you set up in Tableau Bridge will not be able to reach Tableau Online, and the published data sources do not get refreshed until you sign in again. During this time, you will receive refresh failure notification emails from Tableau Online. For more information, see Stop Keeping Data Fresh through Tableau Bridge.
To ensure refreshes of file-based and statistical file-based data sources complete without any issues, a Tableau Bridge client that has been set up to run as a service must reference the full UNC path of the source file and not the mapped drive path. For a client that has been set up to run as an application, Tableau strongly recommends the client also reference the full UNC path. For more information, see Change the file path for a linked data source.
If you’re familiar with the Tableau Bridge basics and ready to set up and start using Tableau Bridge, see one of the following topics:
For site administrators, see Allow Your Publishers to Maintain Live Connections to On-Premises Data.
For data source publishers, see Use Tableau Bridge to Keep Tableau Online Data Fresh.
You might also be interested in the following:
The Tableau Blog post Introducing Tableau Bridge: live queries to on-premises data from Tableau Online